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OVERSIGHT ON MEDICAL PRIVACY 


TUESDAY, APRIL 16, 2002 

United States Senate, 

Committee on Health, Education, Labor, and Pensions, 

Washington, D.C. 

The committee met, pursuant to notice, at 10:05 a.m. in Room 
206, Hart Senate Office Building, Hon. Edward M. Kennedy (chair- 
man of the committee) presiding. 

Present: Senators Kennedy, Dodd, Wellstone, Murray, Reed, 
Clinton, Gregg, Frist, Enzi, Warner, and DeWine. 

OPENING STATEMENT OF HON. EDWARD M. KENNEDY, A U.S. 

SENATOR FROM THE STATE OF MASSACHUSETTS 

The Chairman. We will come to order. I am pleased to hold this 
very important hearing on what is happening with patients’ medi- 
cal records. The blessing of high technology can also be a curse to 
personal privacy. With the click of a mouse our most personal in- 
formation can be launched into cyberspace for millions to see. If we 
do not take steps forward to protect privacy in the information age, 
our most personal information will be available to every employer, 
every health insurance company, and every high-tech peeping Tom 
in America. 

This is not only unfair to patients; it is bad for their health. A 
recent study found that one out of every six patients withdraws 
from full participation in their own health care because they worry 
their medical information will be used. 

We have worked hard to strengthen privacy protection for Ameri- 
ca’s patients. In the Health Insurance Portability and Accountabil- 
ity Act of 1996 we said privacy protections were so important that 
if Congress did not pass legislation to strengthen privacy the ad- 
ministration should put in place real protections. The Clinton ad- 
ministration did just that when it adopted a comprehensive set of 
protections to give all Americans control of their private medical 
records. However, the new rule recently proposed by the Bush ad- 
ministration would rescind these protections and would make pri- 
vate medical records an open book. 

This is a serious step backwards. Each time patients see a doctor 
or fill out a prescription they are at greater risk that their most 
personal medical information will be available to prying eyes. The 
administration has proposed new rules that say health providers do 
not have to get consent to determine how your medical records are 
used. Requiring consent assures that the patient plays a role in 
how their health information is used. It is the only real way to as- 
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sure that patients and only patients control sensitive information. 
It restores faith in the health care system. 

Of course, certain narrow and common sense exceptions are 
needed. For example, your personal physician should be allowed to 
phone in your prescription to your pharmacist. There is no reason 
that you should have to make a separate trip to the hospital before 
surgery just to consent. We can address these practical challenges 
without undermining the core protections in privacy. 

The Bush administration’s proposals say patients simply have to 
be notified, not asked, about what is going to happen with their 
medical information. We should not throw the baby out with the 
bathwater. All Americans should be assured that their personal 
medical information is theirs and theirs alone. 

The administration’s plan also provides for a new back-door loop- 
hole that allows companies to use private medical records to mar- 
ket their products. This means, for example, that patients seeking 
treatment for mental illness would have that information shared 
with companies selling anti-depressants and other therapies. Those 
companies would be free to send open mailings to your work or to 
your home. The administration claims the new regulation grants 
new protections against abuse. They argue that a new authoriza- 
tion is required before a health provider or business can market to 
a patient. But the same proposal allows doctors and pharmacists 
to provide, without permission, the health information of their pa- 
tients to businesses that will try to sell them new drugs, therapies, 
nursing home placements, and other care. This loophole is a tele- 
marketer’s dream and a patient’s nightmare and it must be closed. 

I look forward to working with my colleagues on legislation to as- 
sure Americans that their medical records will be kept private and 
I welcome our distinguished witnesses to today’s hearing. 

Senator Gregg. 

OPENING STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR 
FROM THE STATE OF NEW HAMPSHIRE 

Senator Gregg. Thank you, Mr. Chairman. 

Medical privacy is an issue that affects every American, and yet 
prior to the passage of HIPAA in 1996, there was no Federal struc- 
ture or law in place that would ensure that our medical informa- 
tion remains private. HHS has been working for several years to 
develop comprehensive rules that govern the use and disclosure of 
protected health information. This is no easy task, given the com- 
plexity and fragmentation of our health care system, including the 
fact that our private health care insurance system is employment- 
based and dependent upon a system of third party payers. 

I would like to commend the administration for proposing signifi- 
cant improvements to the rules. These changes provide important 
clarifications that will aid in implementation and compliance. 
Moreover, these changes will prevent the unnecessary and harmful 
disruption of a patient’s care that would have occurred under the 
existing rules, a very important point. 

Although the proposed rule would clarify or improve several dif- 
ferent provisions, the most important proposed modification per- 
tains to the consent and notice requirements on direct treatment 
providers. Under the existing rules, a patient would have to give 
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prior written notice, prior written notice, to each and every pro- 
vider that the patient sees or even schedules an appointment with. 
Not only would this requirement disrupt and delay care but the 
protection it would have provided is merely illusory because a pro- 
vider could withhold care if the patient does not provide the con- 
sent. 

There are numerous examples of how, if unchanged, this require- 
ment will harm or delay patient care. For instance, a patient re- 
ferred to a specialist by his or her physician may not even be able 
to schedule an appointment without first going to the specialist’s 
office and completing a form. Because only patients can give con- 
sent, a sick or elderly person could not have a friend or a family 
member pick up their prescription unless they first go and sign a 
consent form with the pharmacy, resulting in serious delays in 
starting medication. 

Ordinary physician practices, such as arranging out-patient sur- 
gery or calling in prescriptions, would be in jeopardy. One hospital 
stay might result in a sick patient having to fill out multiple new 
forms, new consent forms, in addition to all the forms already re- 
quired for treatment — one for the hospital, one for each nurse, one 
for each doctor, one for each medical technician that the patient 
sees under this proposal. 

There are numerous examples of disruption in patient care that 
would occur as a result of the prior consent requirement, and there 
are likely many more that have not been contemplated. Thus, the 
suggestion to keep this requirement in place but create exceptions 
for all the various situations in which prior consent would disrupt 
care is simply unworkable. 

By changing this provision we avoid a consumer backlash of 
major proportions. While consumers rightly seek the strongest pos- 
sible privacy protection, they have little tolerance for bureaucracies 
and hoops that make it even more difficult to navigate our complex 
health care system, especially if the additional bureaucracy does 
not provide meaningful protection or enhance the quality of care. 

Consumers and physicians support the changes in the consent re- 
quirement, and this is an important point. A letter dated April 10 
from a broad range of physician groups, including the American 
Academy of Family Physicians, the American College of Obstetri- 
cians and Gynecologists, and the American Medical Group Associa- 
tion, strongly support the administration’s proposed changes in the 
consent requirements. These organizations represent over 400,000 
physicians. 

In an earlier letter dated December 20, 2001, the National Part- 
nership for Women and Families Consumer Organization and 
United Health Care co-signed a letter to Secretary Thompson rais- 
ing serious concerns that the existing consent provisions will seri- 
ously jeopardize quality of care, I would like to submit all those let- 
ters for the record. 

Senator Dodd, [presiding]. Without objection, so ordered. 

[The letters follow.] 
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April 10, 2002 

The Honorable Edward M. Kennedy, 

Chairman Health, Education, Labor and Pensions Committee, 

Washington, DC. 

Dear Chairman Kennedy: The Department of Health and Human Services 
(HHS) recently issued proposed changes to the medical privacy rule “Standards for 
Privacy of Individually Identifiable Health Information.” The undersigned national 
health and medical organizations and specialty societies strongly support the pro- 
posed rule’s approach in making prior consent discretionary. Unfortunately, various 
press articles and commentary have seemed to suggest that physicians do not sup- 
port the proposed change. It is important for Members of Congress to know that 
many physician and provider organizations do support the proposed modification to 
make prior consent discretionary rather than mandatory. 

Physicians and practitioners strongly support meaningful Federal privacy protec- 
tions for patients’ medical information. Under the proposed rule, covered entities 
would not be required to obtain written consent from patients before using or dis- 
closing protected health information for such routine purposes as treatment, pay- 
ment, and health care operations. However, unlike the proposed regulation issued 
under the Clinton Administration, covered entities would not be prohibited from ob- 
taining written consent if they choose. We believe this approach strikes the proper 
balance of protecting the rights and autonomy of patients, while removing unneces- 
sary barriers that interfere with patient care and the efficient delivery of health 
care. 

It is important to note that eliminating the prior consent requirement does not 
detrimentally affect patients’ privacy rights in any meaningful fashion. Even privacy 
advocates called the consent requirement meaningless because the regulation per- 
mitted providers to deny treatment to individuals who refused to sign the consent 
form. Furthermore, we believe that the written notice requirement is the true back- 
bone behind patients’ privacy rights. The written notice, not the consent form, is the 
means by which patients are informed of their rights under the regulation and how 
and to whom their medical information may be used or disclosed. The proposed rule 
actually strengthens the notice requirement, which we fully support. 

Not only would the prior consent requirement add yet another mandatory form 
to the already unmanageable paperwork burden that physicians and practitioners 
face on a daily basis, it could pose serious problems for patient care. HHS outlined 
many of the potential problems in the proposed rule. 

The prior consent requirement could confuse patients and increase patient waiting 
times. Physicians and practitioners would be prohibited from treating patients or 
providing other services for them, until the form is actually signed. For example, 
physicians who have privileges at a number of hospitals would need either to estab- 
lish multiple organized health care arrangements or ask each patient in the hospital 
to sign a physician consent form in addition to the consent form provided for the 
hospital. If a patient were required to sign multiple consent forms to receive care 
at a hospital, this would hinder and delay patient care. 

Additionally, the prior consent requirement would potentially interfere with the 
ability of physicians and practitioners to continue many daily practices such as re- 
ferring patients for treatment, arranging outpatient surgery, and calling-in prescrip- 
tions. Furthermore, physicians and practitioners might not be able to use patients’ 
information to send important reminders regarding patient treatment (i.e., child im- 
munization and mammography reminders). 

HHS faced the difficult challenge of protecting patients’ privacy rights, while at 
the same time removing unnecessary barriers that interfere with patient care and 
the delivery of health care. We strongly believe that HHS met this challenge in the 
proposed rule, and we oppose any efforts to change it. 

Sincerely, American Academy of Dermatology Association; American Academy of 
Family Physicians; American Academy of Nurse Practitioners; American Academy 
of Physician Assistants; American Association of Neurological Surgeons/Congress of 
Neurological Surgeons; American Association of Orthopaedic Surgeons; American 
College of Cardiology; American College of Nurse-Midwives; American College of Ob- 
stetricians and Gynecologists; American Medical Group Association; American 
Podiatric Medical Association; American Society of Cataract and Refractive Surgery; 
American Urological Association Medical Group Management Association 


April 12, 2002 

Dear Member of Congress: As you may know, the Department of Health and 
Human Services (HHS) recently issued a Notice of Proposed Rulemaking (NPRM) 
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proposing modifications to the final privacy rule. The undersigned organizations are 
writing to let you know of our strong support for the proposed modification in the 
NPRM giving health care providers the option of obtaining the prior consent of pa- 
tients to use or disclose identifiable health information for treatment, payment and 
healthcare operations. The Department’s proposal to make obtaining consent op- 
tional for providers strikes a workable compromise between the original proposed 
regulation from 1999 that prohibited providers from obtaining written consent and 
the final regulation from 2000 which mandated it. 

We strongly support meaningful Federal privacy protections for patients’ medical 
records. An essential part of that commitment is ensuring that patients understand 
their rights and how their medical information will be used. However, adding yet 
another mandatory form to the burden that physicians, practitioners, pharmacists, 
hospitals and other health care providers already face on a daily basis does not ef- 
fectively achieve the balance of providing privacy protections and assuring timely, 
efficient access to health care. We support the Department’s proposed modification 
to make consent optional. 

The NPRM documented numerous disruptions and delays in receiving medical 
care that patients — particularly the elderly and those in rural areas — would face if 
the mandatory prior written consent requirement were not modified to make it op- 
tional for health care providers. For example, patients could experience significant 
delays in obtaining prescriptions because pharmacists could not fill the prescription 
until the patient were present to sign the consent. Friends and family picking up 
prescriptions for a sick individual would not have legal authority to sign the con- 
sent, and thus could not pick up the prescription. 

The NPRM described how patients referred to a hospital for outpatient surgery 
might have to make an extra trip to sign a consent form because the hospital could 
not use information about the patient to schedule and prepare for surgery. Nurses 
who staff telephone centers that provide health care assessment and advice, but 
never see patients, would be unable to counsel patients because they would be pro- 
hibited from using identifiable information for treatment and would he unable to ob- 
tain prior written consent. The NPRM also cites emergency medical providers who 
were concerned that even if a situation was urgent that they would have to try to 
obtain consent, even if inconsistent with best medical practices. There were also 
troubling questions about whether physicians who had privileges at several hos- 
pitals would have to obtain separate consent from patients at those facilities, even 
if patients had already signed consents for the hospital. 

These are just some examples of the potentially serious consequences of the man- 
datory prior written consent requirement. The Department wisely chose to correct 
the underlying problem with the proposed provision to make consent optional, rath- 
er than trying to address each adverse consequence of a mandatory consent require- 
ment as it presented itself. 

Sincerely, ACA International; Academy of Managed Care Pharmacy Advance PCS; 
Advanced Medical Technology Association (AdvaMed); Aetna Inc.; American Acad- 
emy of Dermatology Association; American Academy of Family Physicians; Amer- 
ican Academy of Physician Assistants; American Association of Health Plans; Amer- 
ican Association of Neurological Surgeons/Congress of Neurological Surgeons; Amer- 
ican Association of Orthopaedic Surgeons; American Benefits Council; American 
Clinical Laboratory Association; American College of Nurse-Midwives; American 
Health Care Association; American Managed Behavioral Healthcare Association; 
American Medical Group Association; American Pharmaceutical Association; Amer- 
ican Society of Cataract and Refractive Surgery; American Society of Consultant 
Pharmacists Association of; American Medical Colleges Biotechnology Industry Or- 
ganization (BIO); Blue Cross and Blue Shield Association; Cardinal Health; Cleve- 
land Clinic Foundation; The ERISA Industry Committee; Express Scripts; Federa- 
tion of American Hospitals; Food Marketing Institute; Genzyme Corporation; 
GlaxoSmithKline; Health Insurance Association of America; Healthcare Leadership 
Council; Intermountain Health Care; Kaiser Permanente; Lahey Clinic; Marshfield 
Clinic; Mayo Foundation; Medical Group Management Association; Merck-Medco; 
National Association of Chain Drug Stores; National Association of Health Under- 
writers; National Association of Manufacturers; National Retail Federation; Phar- 
maceutical Care Management Association; Premier, Inc.; Quest Diagnostics; 
UnitedHealth Group; US Chamber of Commerce; Vanderbilt University Medical 
Center; VHA Inc.; WellPoint Health Networks 


Senator Gregg. Some have suggested that the proposed change 
was driven by large corporate medical interests and thus is not in 
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the best interest of consumers and patients. This is not the case. 
While nearly every sector of the health care system supports the 
proposed changes, the modifications in the consent requirement 
only apply, only apply, and this is an important point, to direct 
care providers. 

Moreover, the proposed rule does not affect the requirements 
governing use and disclosure of protected health information. Au- 
thorization would still be required for any other use of the pro- 
tected health information. 

The proposed change to the consent requirement strikes the right 
balance. The original rule issued by the Clinton administration 
would have actually prohibited prior consent. I think that is an im- 
portant point we have to stress here. President Clinton originally 
proposed that there would be no prior consent. And that change, 
the reason they changed it then was because the American Medical 
Association, allegedly on behalf of its constituency, and I cannot be- 
lieve it, but that is the allegation, wanted the prior consent to be 
in place. I am tempted, quite honestly, very much tempted to say 
if the American Medical Association wants prior consent, we will 
give it to them, just for them, but we have not heard from the 
American Medical Association recently on this point and maybe 
their position has been modified. 

Many providers objected to the ban on prior consent and rightly 
so. The final Clinton rule would have mandated prior consent be- 
fore any kind of interaction with the health care provider. This is 
far too disruptive. The proposed rule before us would not mandate 
prior consent. Instead, it would require providers to give notice of 
their privacy practices. This would allow patients to be fully in- 
formed of how their information will be used and would allow them 
to act accordingly. It is preferable to the coerced consent provisions 
contained in the existing rule. 

Finally, I would like to thank the administration for other pro- 
posed modifications of the rule, including the clarification to the 
marketing, parental consent, parental access, business associations, 
and the plan sponsors’ enrollment provisions. I look forward obvi- 
ously to hearing from the administration on this point. Thank you. 

Senator Dodd. Thank you, Senator. 

Senator Kennedy has temporarily been called away from the 
committee and will return shortly. We will get to Mr. Allen briefly 
but let me make a brief — I am going to ask unanimous consent to 
include the full text of my opening remarks and that will apply, by 
the way, for every member of the committee, those who are here 
and those who have not shown up yet, to share their views. 

OPENING STATEMENT OF HON. CHRISTOPHER J. DODD, A U.S. 

SENATOR FROM THE STATE OF CONNECTICUT 

Senator Dodd. First of all, let me commend our chairman, Sen- 
ator Kennedy, for convening this hearing on relatively short notice 
but in light of the decisions made just prior to the departure of the 
Congress for the Easter-Passover break when the news came out 
about the change in policy here, we thought it was appropriate to 
try and gather together as quickly as we could to express ourselves 
on this issue. 
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I do not know of another issue that provokes as quick or as 
strong a response from the public as the issue of privacy does, par- 
ticularly in light of how the world has changed in the last decade. 
I often tell audiences at home in Connecticut that on the day that 
President Clinton was sworn into office on January 20, 1993 there 
were 55 pages on the World Wide Web. To give you some idea how 
the world has changed in a decade, today someone suggested I 
think the number is maybe almost a million pages an hour get 
added to the World Wide Web, or some number like that. 

The point is today the use of the Internet and technology to ex- 
pand information and sources of it, as well as people’s access to in- 
formation has grown exponentially and there is a growing body of 
concern within the public about how much information people 
have, what they do with that information, and to the extent people 
are able to pry into the private lives and private information. 

We would not allow anyone to come rummaging through our 
house, to go through our waste baskets, to go through our medical 
cabinets and cases. We would not tolerate that, let anyone in our 
homes to do it. In a sense, if you can, in effect, do that today by 
rummaging through people’s private, most privately held informa- 
tion, then you can begin to get some sense of the concerns people 
have. 

So the ability to control very personal information is an issue 
that is deeply felt by people and it crosses all your traditional ideo- 
logical and political lines. This is as strongly held feeling among 
Democrats, Republicans, liberals, moderates, conservatives as any 
issue I am aware of, the issue of privacy. 

Since 1996 when the Health Insurance Portability and Account- 
ability Act was passed many of us here have worked to develop leg- 
islation to try to protect medical records, and that is what we are 
talking about here today, in a meaningful and comprehensive fash- 
ion. Unfortunately, we have not yet developed a bipartisan legisla- 
tive response. Senator Richard Shelby, my colleague from Alabama, 
and I chair the Privacy Caucus, co-chair it with colleagues in the 
House and the Senate, to give you some idea of the bipartisanship 
in trying to work on these issues. 

But these are complicated questions. None of us are going to sug- 
gest that dealing with this is a simple matter. We have tried ideas 
in the past and there are always some unintended consequences 
when you deal with this issue, but we have worked on it. 

Let me, in response to my friend from New Hampshire, point out 
that the Clinton Administration did, in my view, a tremendously 
admirable job in developing some very important privacy protec- 
tions in the medical area. For the very first time patients were 
given the right to access their own medical records. I know that is 
a radical idea. It is hard to imagine, but for a long time you did 
not have any right to see your own information at all and these 
rights seem so basic, as I said, that it is hard to imagine they did 
not exist before. Imagine the frustration of being denied a request 
to see your own medical information or having a telemarketer con- 
tact you at home based on targeting data derived from those 
records, and that is rather commonplace today. In a very real way, 
this is a personal violation in the minds of many, many Americans. 
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The final medical privacy rule was an immense undertaking. 
Upon announcing the regulations in late 2000, the Department of 
HHS received over 50,000 comments from health care providers, in- 
surance companies, doctors, and patients across the country. The 
final rule that took effect did so in April of 2001. It was not thrown 
together haphazardly. It was created with an understanding of the 
difficulties and costs associated with its implementation. But the 
determination was made, correctly in my mind, that medical pri- 
vacy should not be compromised. 

Yet now the Bush Administration has announced its intention to 
do exactly that in the views of many of us up here, Democrats and 
Republicans. Their proposals would undermine, in our minds, some 
of the most important protections that we have worked to establish 
over the last 5 years. The administration, as we understand it, 
wants to allow health care providers enormous discretion in how 
they use your medical records, your most personal and private in- 
formation, something that in my view you, as a citizen, and you 
alone should be the one to make a decision about. 

The Bush Administration proposes to remove the provision in the 
medical privacy regulations that requires a health care provider to 
obtain a patient’s consent in order to share his or her records for 
“treatment, payment, and other routine health care operations,” 
and that is a quotation. Those are not my words. Instead, they 
want to make it mandatory for providers to inform patients that 
their records have been shared. This can be done before or after the 
fact, according to the proposal. That is very generous. It is like a 
neighbor calling you to tell you that he has read your mail and 
gone through your medicine cabinet, except, of course, in the exam- 
ple, in that case you have some legal recourse. Here you would 
have none. 

The administration claims to be proposing these changes because 
privacy threatens the quality and timeliness of care. This, I think, 
is unacceptable. There should be no trade-off between quality, 
timeliness, and privacy, in my view. All are necessary and all are 
obtainable. 

I understand that there are instances where obtaining prior con- 
sent is not possible, such as emergency care, phoned-in prescrip- 
tions to a pharmacy. In those cases the law should allow the pro- 
vider some leeway. But in general, privacy should not be com- 
promised. It is not necessary. It is a phony argument to suggest it 
needs to be done. And I believe that we should be here trying to 
protect those rights when at all possible. 

Now let me turn to my colleague from Tennessee, who I know 
has a deep interest in the subject matter, as well, and my other 
colleagues, and then we will get to you, Mr. Allen. 

Let me just say, as well, on the issue here, I understand the im- 
portance of how sharing information for clinical trials and other 
areas can be tremendously important, but the idea that you could 
do that after the fact or not letting the patient know about it, that 
does not make any sense to me and I think any effort to do that 
is going to find a wall of opposition up here in terms of that effort. 

At this time I would like to submit a statement from Senator 
Harkin. 

[The prepared statement of Senator Tom Harkin follows:] 
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Prepared Statement of Senator Tom Harkin 

I want to thank Chairman Kennedy for scheduling this impor- 
tant hearing. 

As health care practices have evolved over the past several years, 
and technology has allowed for the rapid mass transit of informa- 
tion, it has become critical to protect individual privacy — especially 
as it relates to personal medical information. 

If we are not strong on the protection, and vigilant on the en- 
forcement, we will be putting ourselves and our loved ones at risk. 

Wouldn’t it be ironic, and certainly tragic, if Americans are actu- 
ally harmed when they go to a medical provider because their med- 
ical records were inappropriately used or shared? 

Plain and simple, your private medical records should be just 
that — private. 

Time and time again, I’ve heard from Iowans who are concerned 
about the misuse of their private medical information. Sadly, this 
Administration has failed to listen to the voices of the people. 

I have worked hard to pass strong medical privacy protections 
that make clear that a patient’s medical records are not for sale. 
Patients must have a ‘right to know’ how their medical information 
is used and they should have the right to say ’no’ by controlling 
who has access to this most private of information. 

When I talk to the reasonable patients and providers throughout 
Iowa, they all share the same advice. Create a system that is not 
overly burdensome but appropriately protects individual’s medical 
records. 

If there were problems with the existing medical privacy regula- 
tions, then the Administration should work with the Congress and 
the health care industry to fix those problems. 

But that is not what was done. This reversal by the Administra- 
tion sacrifices patient privacy to the alter of special interests. 

Again, I thank the Chairman for scheduling this important over- 
sight hearing and I look forward to working with him to find a rea- 
sonable and manageable solution that above all else, protects pa- 
tients. 

Senator Dodd. With that, Senator Frist? 

OPENING STATEMENT OF HON. BILL FRIST, A U.S. SENATOR 
FROM THE STATE OF TENNESSEE 

Senator Frist. Thank you. And I want to thank the chairman 
and Senator Gregg for the opportunity to hold a hearing today on 
an issue that is contentious, as we have seen in some of the open- 
ing statements, and almost deservedly so because we all struggle, 
really struggle with this balance with information that is among 
the most intimate information known to mankind, the information 
about oneself, one’s health, one’s past, one’s physical, one’s emo- 
tional being, how much that information should be shared. 

There are certain advantages of the sharing, there are certain 
necessities of the sharing, but how we can build appropriate protec- 
tions where the ultimate confidentiality, which is critical — it is crit- 
ical to the doctor and the patient and that doctor-patient relation- 
ship and it is critical to delivering the sort of care which really has 
made American care the best in the world. 
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But it does boil down to trust, to confidentiality, to security, and 
that much influences openness and how much a patient tells a doc- 
tor and how much a doctor puts into a record. And ultimately other 
people have to access that particular record and it might not be the 
same doctor. In fact, it might not be the same doctor. In fact, in 
all likelihood, given the mobility of society today, it will not be that 
same doctor. Yet to demand the standards that are implied with 
continuity of care and seamlessness, something that we all want, 
we have to have an accurate recording of that doctor-patient rela- 
tionship, but in such a way that it is not to be abused. 

I have only been involved in this discussion at a policy level for 
the last 7 years, 6 years formally, and that balance is tough and 
we are seeing it play out before our eyes. 

I do appreciate the opportunity for all of us to examine in as ob- 
jective way as possible the impact on health information confiden- 
tiality regulations that were initially introduced in the shape that 
we are debating them and talking about them and discussing them 
by the Clinton Administration in the closing days, as well as look- 
ing at this administration’s proposed modifications to those rules. 
I do applaud Secretary Thompson, his staff at the Department of 
Health and Human Services, for carefully reviewing these regula- 
tions and for proposing adjustments that, I believe, will go a long 
way in safeguarding privacy while, at the same time, ensuring that 
patients continue to enjoy access to quality health care. 

Secretary Allen, I appreciate you being here today to discuss 
these proposed modifications in more detail and laying them out in 
such a way that we can further discuss them in the following 
panel. 

The protection of the confidentiality of patient information is crit- 
ical, but we also need to be extremely careful in this area so that 
we do not allow overly, unnecessarily restrictive rules that might 
threaten quality of care or the safety of care that patients receive. 
This, as I said a few moments ago, is not an easy balance to 
achieve. 

We have seen the effect of State legislation in certain cases. We 
will all be pointing to certain anecdotes and certain case studies, 
but we have seen cases where State legislation has gone too far. 
In Maine, for example, legislation requiring that patients give con- 
sent before identifiable information could be used by providers was 
repealed after only 12 days following reports that it interfered with 
patient access to prescription drugs and prevented hospitals from 
helping clergy and family members even locate their loved ones. 

During the past year, as physicians, nurses, scientists and con- 
sumers have received the Federal regulations proposed by the pre- 
vious administration, it became clear that these rules would impose 
similar barriers to health care access and quality. 

There have been serious concerns raised in other areas, as well. 
Over 140 academic research institutions, medical specialty doctors, 
hospitals and others wrote to the Department of Health and 
Human Services to warn of potential problems caused by the origi- 
nal regulations’ research provisions. They wrote that the rule, if 
implemented, “will seriously impair our ability to conduct clinical 
trials, clinico-pathological studies of the natural history and thera- 
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peutic responsiveness of disease, epidemiological and health out- 
come studies, and genetic research.” 

While the administration’s notice of proposed rulemaking does 
acknowledge that the rule’s deidentification standard raises serious 
concerns, I strongly urge the administration to fully address the 
concerns raised by the research community in its final rule. 

Finally, I would strongly encourage the administration to care- 
fully review all areas of the rule to make sure that it does not un- 
intentionally impede the efforts of our public health officials, as 
well as our private health professionals, to respond to bioterrorist 
threats and attacks. The original rule’s prohibition on the sharing 
of aggregate information could have made it impossible to effec- 
tively track and monitor disease outbreaks. I am pleased that some 
changes have been proposed in these areas, but because of the im- 
portance to quickly respond in these situations, I am hopeful that 
the administration will carefully review the entire regulation along 
these new lines in this new light. 

Again, Mr. Chairman and Senator Gregg, thanks for holding the 
hearing today and I look forward to hearing from our witnesses. 

Senator Dodd. Thank you very much, Senator. 

Senator Reed. 

OPENING STATEMENT OF HON. JACK REED, A U.S. SENATOR 
FROM THE STATE OF RHODE ISLAND 

Senator Reed. Thank you, Mr. Chairman. Just very briefly, 
thank you, Secretary Allen, for joining us today. 

These are vitally important regulations. There is no issue in 
America that is of more concern to individual Americans from 
every region of the country, every sector — everyone is concerned 
about the protection of the privacy of their health records and there 
are two particular concerns that these regulations raise. One is 
whether or not there really will be an effective at least one-time 
written consent for the release of health care information and sec- 
ond, whether or not the marketing aspects of these regulations in- 
vite the commercial exploitation of medical information, which I 
think most Americans would be horrified about. Think of the world 
of telemarketing with your health care records in hand and that’s 
a frightening thought. 

Robert Frost, the New England poet, wrote that “Good fences 
make good neighbors” and the real question is whether these regu- 
lations are good fences so that we can be good neighbors. I will look 
closely and listen closely to the hearing today to see if we have 
made progress in that regard, but frankly, this is one of those 
issues that you do not have to be an expert to be concerned. You 
just have to be an American citizen. Thank you. 

Senator Dodd. Senator Warner, do you want to make any open- 
ing comments? 

OPENING STATEMENT OF HON. JOHN W. WARNER, A U.S. 

SENATOR FROM THE STATE OF VIRGINIA 

Senator Warner. Very briefly. I just wish to welcome Secretary 
Allen, who served the Commonwealth of Virginia with great dis- 
tinction as our Secretary of Health and Human Resources. Now 
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you have come to Washington to get one of the toughest issues that 
anybody has to solve. I wish you luck. 

Mr. Chairman, I want to commend my colleague Senator Frist 
for all the hard work that he does in this and so many areas relat- 
ed to health care. Thank you, Mr. Chairman. 

Senator Dodd. With that encouraging note we turn to Senator 
Murray. 

OPENING STATEMENT OF HON. PATTY MURRAY, A U.S. 

SENATOR FROM THE STATE OF WASHINGTON 

Senator Murray. Thank you very much, Mr. Chairman. I just 
ask unanimous consent that my full statement be put into the 
record. 

Senator Dodd. Without objection. 

Senator Murray. I will just say that this is an extremely com- 
plex issue that this committee has been considering for some time 
and I think it is very important that we have these hearings today 
and further hearings before the administration’s rules take effect 
to truly understand this because, as Senator Reed said, this affects 
every single American and we had better know what we are doing 
and the outcome of that before these rules are finalized because the 
impacts could be considerable. 

For me, the most important thing is that people do go to their 
doctor feeling confident. Otherwise, we may create a situation 
where individuals would fear seeking health care and that is abso- 
lutely the wrong thing that we should be doing. 

So I really look forward to this hearing and further hearings as 
we clarify what these rules would mean to general, average people. 
Thank you very much. 

[The prepared statement of Senator Patty Murray follows:] 
Prepared Statement of Senator Patty Murray 

Mr. Chairman, the Administration’s decision — announced on 
March 23rd — to revise the regulations implementing medical 
records privacy has generated a great deal of concern. 

I think this hearing is an important step in better understanding 
the implications of these changes and an opportunity for this Com- 
mittee to again focus on the urgent need to ensure greater medical 
records privacy. 

As we learned in 1999, the issue of medical records privacy is a 
complex and emotional one. There are no easy solutions. 

In addition, because of our fragmented health care delivery sys- 
tem, there are often numerous individuals who have — and in many 
cases need — access to medical records. 

These aren’t just health care providers, and the ability to protect 
medical records privacy becomes further complicated by the num- 
ber of individuals with access. 

In 1999, this Committee attempted several times to report out 
legislation implementing HIPAA privacy regulations. 

Unfortunately, we were not successful and had to default to the 
regulatory process to implement privacy standards. Clearly, this 
has created many of the problems and concerns. 



13 


Because of the complexity and expense to providers of imple- 
menting these regulations, I supported additional relief for health 
care providers, especially smaller hospitals or physician practices. 

I supported an extension of implementation because I recognized 
the difficulty implementing these regulations. 

I also wanted to be sure that providers were able to implement 
them correctly and that patient privacy was the focus. 

Because there are limited private actions that an individual can 
take if his or her privacy is violated, it is critical that implementa- 
tion is accurate. 

In reviewing the Administration’s revised regulations, I have sev- 
eral concerns that I hope can be addressed or corrected legisla- 
tively. 

I am troubled that the Administration’s changes in the consent 
requirements will gut any real protections for patients. 

Simply notifying a patient that their information will be re- 
viewed or released is not adequate. Patients must have the right 
to consent to this release. 

While there are some cases that can be exempt from this require- 
ment, I think that weakening the entire consent requirement does 
little to ensure patients that their medical records will be kept con- 
fidential. 

I also have some real concerns with the ability of parents to have 
access to a minor’s entire health care record. 

This is one of the issues that derailed legislation in 1999 and is 
nothing more than an attempt to impose a national parental con- 
sent or notification on all States. 

It also serves to jeopardize efforts to improve access to STD or 
reproductive health care and mental health care for minors. 

The language in the regulation does appear to give providers the 
“discretion” at releasing information to parents or making it avail- 
able for review by parents. 

If a minor has any concerns or doubts the confidentiality of their 
records, they will NOT seek care. The guarantee of confidentiality 
has to be explicit, not up to a physician’s or provider’s discretion. 

It is also not clear how this provision impacts the language on 
State preemption. 

For example, Washington State guarantees a minor access to 
confidential reproductive health care and mental health services. 

This is not a tougher standard than the Federal regulation, so 
there is some concern that this regulation could preempt State 
laws and protections provided to minors in Washington State. 

I hope this Committee will have additional hearings on this 
issue. If legislative measures are needed to clarify or correct these 
regulations, I hope we’ll take the necessary action. 

The failure to implement a national medical records privacy 
along with a prohibition on genetic discrimination has created a 
situation where individuals fear seeking health care and are not 
providing comprehensive background to their health care provider. 

The implications of this are staggering and jeopardize access to 
new break-through screening and prevention. 
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Questions from Senator Patty Murray for Panel I: 

Question 1. In developing privacy regulations, the previous administration did not 
attempt to impose any new parental rights. 

The original regulations simply deferred to the States on parental consent or limi- 
tations on parental consent and notification. 

There was an effort in this Committee to impose this new national parental re- 
view or consent of the entire minor’s health care records. However, as I mentioned 
earlier, it was one of the reasons legislative action stalled in the Senate. 

• Why did this administration attempt to modify or expand parental consent or 
review rights? 

• How does this new revision impact States that have not been silent but have 
acted to ensure a minor’s access to confidential health care services? 

• Does this provider discretion extend beyond the physician’s office? 

Question 2. One of the major gaps in the current oversight is the fact that IRB 
requirements apply only to federally-funded research. 

Private research and some off-shore research are exempt. However, the FDA ap- 
proval process does provide some mechanism for ensuring the safety of human sub- 
jects in clinical trials. 

• Can we expand this authority to improve safety or should we expand the juris- 
diction of the Office of Human Research Protections at HHS? 

Question 3. It is difficult in today’s market-driven research arena to ensure in- 
formed consent. 

Patients are often facing life threatening illnesses. Parents may have a child who 
is facing a devastating diagnosis. 

Often, patients are almost begging to get into a clinical trial. They will sign any- 
thing or agree to anything. They may not pay close attention to any financial link 
the researcher may have to the treatment. 

• How can a research institution ensure that patients are fully aware of the risks 
associated with the trial as well as the risk associated with the established treat- 
ments? 

• How can researchers ensure that patients understand the financial link that 
the researcher or institution may have to the treatment? 

Question 4. I have found that many patients and families are often surprised 
when they learn that there is a financial link between researcher and treatment. 

They’re surprised when the learn that some physicians or doctors may be receiv- 
ing some future financial benefit from a drug manufacturer or royalty payments for 
a patent. 

Of course, in a market-driven economy, it’s difficult to separate what was justifi- 
able compensation and what was provided as way of inducing a bias on the part 
of the research. 

Many outstanding physicians and researchers receive financial compensation for 
their discoveries or their developments — yet this never impacts their hope at finding 
the cure or treatment. 

To assume that any financial link presents an inherit bias will jeopardize how re- 
search is conducted and eliminate incentives for furthering science. 

• Would more detailed disclosure requirements be enough to remove any conflict 
of interests doubts or allegations? 

• How do we provide compensation to those conducting researcher or evaluating 
clinical trials? 

• Is there a way to totally remove any bias on the part of researchers? 

Question 5. We place a great deal of oversight responsibility into the hands of the 

Institutional Review Board (IRB). But it appears there is limited oversight over the 
IRB or even the selection process for a local IRB. 

We know of cases of IRB shopping — where a researcher will simply apply through 
different IRBs despite being rejected or limited by another IRB. 

Once a researcher receives the approval of the IRB, the issue of monitoring be- 
comes questionable. 

• Would further accreditation of IRBs serve to standardize and improve the proc- 
ess? 

• Would established criteria for all IRBs, including the scope and timing of re- 
search review ensure greater safety? 

• How can we work to guarantee that IRBs have pediatric expertise or pediatric 
knowledge? 

Question 6. Recent press accounts of safety problems and violations in clinical 
trials have generated a great deal of concern. 

• Has the public lost confidence in clinical trials? 
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• Is the lack of confidence or the issue of safety to blame for low participation 
rates in clinical trials? 

• Will addressing some of the safety gaps restore confidence? 

Clinical trials are a vital part of our health care structure. If we are forced to wait 
until we eliminate any and all risks, we will lose too many patients and too many 
children. Greater access to clinical trials can mean the different between life and 
death, especially for pediatric cancer cases. 

Senator Dodd. Thank you very much, Senator. 

With that, Mr. Allen, we welcome you to the hearing on behalf 
of all of us here. Claude Allen is the Deputy Secretary of Health 
and Human Services. He is testifying today on the issue of medical 
privacy. He is now taking a leading role at HHS on a number of 
critical issues, including medical privacy. 

As the former Secretary of Health and Human Services for the 
State of Virginia, as has already been pointed out by Senator War- 
ner, Mr. Allen has a great deal of experience working with health 
care plans, State welfare, and access to care issues. So we are de- 
lighted to have you here with us, Mr. Allen. We are looking for- 
ward to your testimony. 

We will include any materials, by the way, and supporting docu- 
ments that you think are worthwhile for us to have as we go for- 
ward. So consider any additional information that you would like 
to have part of the record to be included. With that, we will accept 
your testimony. 

STATEMENT OF CLAUDE ALLEN, DEPUTY SECRETARY, 
DEPARTMENT OF HEALTH AND HUMAN SERVICES 

Mr. Allen. Thank you. Good morning, Mr. Chairman, Senator 
Gregg and the Members of the committee. Mr. Chairman, thank 
you for your leadership and devotion to health issues. Senator Ken- 
nedy has given much attention to these issues over the years and 
it has been a privilege to work with him over the course of this last 
year on this and many other issues that affect the health care of 
all Americans. We both share a passion for ensuring the confidence 
of every American to know his or her medical records remain pri- 
vate, and on behalf of Secretary Thompson and myself, I want to 
thank Senator Kennedy for his friendship, his support, and his 
counsel during this last year. 

Senator Gregg, I also wanted to extend the Secretary’s and my 
thanks for his wise counsel, his friendship and his support during 
this last year, as well. I also want to thank Senator Gregg for his 
leadership on this committee and in the United States Senate on 
behalf of the people of New Hampshire and America. 

Senator Frist, your service to this country as the Senate’s only 
physician is invaluable to all of us and we thank you for that. It 
has been a real privilege to work with you, not only in the areas 
focussing on health care, but also in terms of looking beyond the 
shores of this country, to Africa and your work there on the For- 
eign Relations Committee and looking at health issues globally, not 
just domestically. So thank you for your leadership in that regard. 

Members of the committee, I am here this morning to describe 
and discuss our changes to strengthen the proposed privacy rule. 
I welcome the opportunity to appear before you and the committee 
today to discuss this important issue. 
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Last April, President Bush stated his desire to provide for the 
first time strong patient privacy protections at the Federal level. 
Prior to implementation of the proposed privacy rule, the President 
directed Secretary Thompson to review the rule and to recommend 
modifications to it that would identify and correct unanticipated 
consequences that might impede a patient’s access to care or harm 
the quality of that care while, at the same time, ensuring strong 
privacy protections. The proposed rule achieved this goal. 

I am pleased to say that beginning next April, for the first time 
all Americans will have the right to require written authorization 
before their personal medical records are shared with employers for 
employment decisions or given to life, disability or other insurers 
or for marketing purposes. They will have the right up front, the 
first time they see a doctor or a health care provider or enroll in 
a health plan, to be notified of their privacy rights and how their 
information may be used or disclosed by the provider or the plan 
so they may understand and discuss any concerns with their pro- 
viders and plans and get care that is consistent with their own per- 
sonal preference. 

Additionally, they will have access to their own medical record 
and the right to correct it if it contains incorrect or incomplete in- 
formation. 

Mr. Chairman, since the release of the proposed modifications to 
the rule, most of the attention has focussed on the issue of what 
is referred to as consent and notice, so I will begin with these pro- 
visions. We put ourselves in the shoes of the patient and we discov- 
ered the rule was not practical for patients, their doctors or phar- 
macists. Therefore, we tried to make changes that made the most 
sense from the patient’s perspective. Our proposal gives patients 
more control over where their information goes and gives them fair 
notice of how their information is used while, at the same time, 
providing the patient with what matters most — unimpeded access 
to quality care. 

The new rule enhances the obligation that covered entities give 
notice of their privacy practices to their patients by requiring a 
good faith effort to get patients to acknowledge receipt of their pri- 
vacy practices. The practitioner can still seek voluntary consent 
from their patients. Nothing in this proposed rule prohibits consent 
to normal treatment documents that doctors and hospitals use 
today. Patient authorization is still required before doctors, hos- 
pitals and other direct treatment providers could share personal 
medical records for non-routine purposes, such as disclosures to 
employers for employment purposes and marketing. 

However, patients would expect that their doctor, their hospital 
or other direct treatment provider could share medical information 
for those core activities that are essential elements to providing 
health care to the patient. Patients would continue to have the 
right to request restrictions on uses and disclosures of their health 
information. 

Real life examples provide the best illustration of why we made 
this change. Under the previous proposal, if a patient wanted or 
needed to receive care from a doctor he had to choose between sign- 
ing a consent form prior to seeing his doctor and not receiving care. 
This requirement was the same for all providers. Mandating con- 
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sent is coercive in nature and does not provide meaningful control 
for the patient. 

Now imagine that you have a twisted knee or a sore back that 
limits your mobility. You sign the form. The doctor sees you and 
recommends that you see a specialist and writes you a prescription 
for pain. The consent you signed only allows that doctor to treat 
you, but does not allow the specialist and pharmacist to look at 
your record or to provide your health care services. 

Therefore, before you can get that prescription filled you have to 
hobble to the pharmacist to sign another consent form. It is the 
same routine for the specialist. You have to go to the office to sign 
another consent form before you can make an appointment. And 
forget about doing it over the phone. 

Now, after seeing the specialist a few days later, she determines 
that you need surgery. First, she wants to take an MRI. This re- 
quires another trip to sign a consent form before the appointment 
is made and then you have to do the same for the MRI, and it goes 
on with each step. 

This is the impractical reality that we faced as we looked at how 
to implement the December 2000 rule. We viewed the mandatory 
consent as coercive and a fundamental hurdle to health care for pa- 
tients and the doctors, hospitals and pharmacists that serve them. 

In addition, the previous consent form did not contain any infor- 
mation about what the patient’s rights were and the privacy prac- 
tices of the provider. That was an additional form. So we combined 
these into one form that would provide patients with all the infor- 
mation they needed to exercise and understand their privacy rights 
and protections. 

Now, Mr. Chairman, I would like to describe briefly other impor- 
tant changes. From the comments we received, the area of market- 
ing seemed to satisfy no one due to its complicated nature. There- 
fore we simplified it while strengthening it at the same time. The 
proposal prohibits explicitly using or disclosing a patient’s informa- 
tion for marketing without the individual’s expressed authoriza- 
tion. At the same time, the proposal would permit doctors, hos- 
pitals, pharmacists and health plans to communicate freely with 
patients about individual treatment options and other health-relat- 
ed information, including disease management, case management, 
and care coordination. We did not to interfere with valuable com- 
munications between patients and doctors over new treatments 
they feel their patients need to know about. Nor should we inter- 
fere with programs that provide important information to those 
who suffer from chronic diseases, such as diabetes. Nor should we 
stop pharmacists from sending refill reminders to those customers 
who are on maintenance medications, such as blood pressure or 
cholesterol-lowering drugs. 

Our goal is to expand the definition of what marketing is in the 
old rule, defining more communications as marketing and thus re- 
quiring authorization and limiting direct communication to those 
things affecting a patient’s immediate health care needs. We be- 
lieve we have accomplished this goal. However, we recognize that 
others may see opportunities to expand further the definition and 
we welcome their input. 
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We also found an unintended consequence in the areas of parents 
and minors. In order to provide clarity to the proposal, we made 
limited changes to clarify that State law governs disclosures of a 
minor’s health information to a parent or guardian. The intent of 
the current rule was never to override State law. Over the years, 
States have developed a rich and broad legislative and legal history 
in this area and we wanted to preserve it rather than confuse it. 
In cases where State law is silent or unclear, the revisions would 
preserve State and professional practice by permitting a health 
care provider to use the discretion afforded by State or other law 
to provide or deny a parent access to such records. 

Just as State law now determines when a minor may be treated 
without parental consent, so too would the revisions effectively 
defer to State law on access to and control of the minor’s informa- 
tion that results from such treatment. 

In the area of research, we simplify the provisions, removing the 
burdens on research and covered entities alike so the Nation’s well- 
renown medical research can continue at a vigorous pace, but with 
renewed confidence in patients that their personal medical infor- 
mation will be protected. The proposal would permit researchers to 
use a single combined form instead of having multiple consent 
forms. The single form would contain informed consent and privacy 
rights information. The proposal would also simplify provisions on 
obtaining a waiver of individual permission to access records for re- 
search purposes so as to follow more closely the requirement of the 
common rule which governs federally-funded research. 

We also are seeking comment on the feasibility of making health 
information that does not identify directly the patients, but is im- 
portant for research more readily available for researchers. To ac- 
complish this, the department is seeking a consensus as to the type 
of information that would identify directly an individual and con- 
tinue to be excluded from the proposed limited data set. To protect 
privacy further, we propose to condition the disclosure of this lim- 
ited data set on a covered entity’s obtaining from the recipient an 
agreement in which the recipient would agree to limit the use of 
the data set for the purposes for which it was given, to not reiden- 
tify the information or use it to contact any individual. 

Other changes that I would be happy 

Senator Wellstone [presiding], Mr. Allen, I do not want to in- 
terrupt you and thank you so much for being here. If you can, I 
know there are many questions and a whole other panel and I 
might ask you to eventually summarize. It is very important testi- 
mony and I apologize for being impolite. I just want to make sure 
my colleagues have a chance for questions. 

Mr. Allen. Senator Wellstone, I am about to finish up right now. 

Senator Wellstone. Thank you. Then I apologize. 

Mr. Allen. Other changes that I would be happy to discuss in 
further detail during questioning include the clarifying and encour- 
aging of public health reporting of adverse events and other post- 
market surveillance of the FDA, clarifying that a doctor can discuss 
a patient’s treatment with other doctors, nurses, and health care 
professionals without fear of violating the rule if they are over- 
heard inadvertently, providing model business associate contracts 
provisions and allowing up to an additional year for most covered 
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entities to make their business associate contracts compliant with 
the rule, and permitting the sharing of information among health 
care providers and health plans for each other’s treatment payment 
and quality-related health care operations. 

I want to assure you that Secretary Thompson and I are commit- 
ted to working with this committee and Congress on a bipartisan 
basis to strengthen the privacy protections while preserving access 
to quality of health care. The need to get strong privacy protections 
in place now is a commonly held goal that transcends partisan poli- 
tics. We owe the American people a privacy rule that works and 
they deserve no less. 

I want to thank you again for the opportunity to be here today 
and I appreciate your interest and commitment and I am happy to 
answer any questions that you have at this time. 

Senator Wellstone. Thank you very much. I guess what we 
ought to do is maybe go 7 minutes each. Is that okay, Senator War- 
ner? 

I want to thank you again for your testimony. Mr. Allen, I want 
to ask you about the administration’s decision to eliminate the pa- 
tient consent from the privacy rule. That is obviously, I think, for 
people in the country a great concern. To me, consent is the center- 
piece of patient privacy. It is what gives the patient a real say in 
health care and I also think helps restore confidence in the health 
care system. 

Now we know that there are glitches in the privacy rules that 
need to be fixed and I accept that. For example, pharmacists 
should be able to receive prescription refills over the phone and a 
patient should be referred to a specialist before consent is given. 
But why did not the administration address these problems in a 
more narrow manner instead of throwing out the underlying con- 
sent provision? I want to ask a question that I think goes to the 
heart of what I think will be the debate in the Senate and I think 
the debate in the country. 

Mr. Allen. Let me start out by first of all saying that we have 
not thrown out consent altogether. The modifications to the rule 
simply removes the requirement for mandatory consent at the ini- 
tial meeting. We have allowed that providers can continue to seek 
consent and we would encourage that providers seek consent from 
their patients. 

The primary reason why we have moved from a mandatory con- 
sent to require a mandatory notice regime is because of the inter- 
ference that consent would provide for the patient receiving care. 
It was very clear under the rule that you had an option. If you 
were a patient and you presented to the physician, if you did not 
sign the consent form a provider could refuse you care. It is that 
plain and simple. A provider could refuse you care because you did 
not sign a consent form. 

So therefore, consent was not the issue that we were trying to 
fully address here. We are trying to fully address ensuring that pa- 
tients had adequate access, access to quality care but, at the same 
time, had their privacy rights respected. Therefore, what we did is 
after receiving an outpouring of comments — during the 30-day com- 
ment period we received approximately 11,000 comments — we 
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began to focus on the issues that were being raised and the issues 
went far beyond simply the pharmacist example. 

For example, it also impacted emergency care providers that re- 
quired an emergency care provider to, once they deliver you to the 
emergency room, they are off going to follow on the next emer- 
gency, but they still had to somehow double back to try to locate 
you to get you to sign a written consent form and that simply was 
unworkable. 

The issue with specialists, again that is an area that raised con- 
siderable concerns. We also had issues of those who did not even 
have direct personal contact with you — in this area we are talking 
about advancing technology, in the area of telemedicine — that we 
would require someone who you would have contact over the tele- 
phone before they can engage you would have to get a written con- 
sent. These were all items that were unworkable and therefore we 
sought a mechanism that allowed us to go further by requiring no- 
tice on your first visit of that practitioner’s policies in terms of how 
they would treat your information and give you a meaningful op- 
portunity to engage them on providing restrictions to the use of 
that information. 

Senator Wellstone. I want to ask one other question for the 
record to begin to cover some of what I think are the concerns. Let 
me just say I thank you for your answer. In some ways I think 
what you did was sort of speak to the question I raised in that 
again I think some of the problems you raised could be addressed 
in a more narrow manner. But again I think the problem is you 
just basically eliminate the underlying consent provision and I 
think that what you are going to hear from some of us in the Sen- 
ate is yes, you are right; it is more than just pharmacists, but there 
is a way of addressing these concerns — for the record I want to say 
this — without undermining the entire consent provision, and I 
think that is going to be the nub of the debate. 

Now one other issue before I run out of my time. It has to do 
with the marketing of people’s private medical information. We 
have all heard stories where a pharmaceutical company gets infor- 
mation that a patient has been seeing a counselor and then starts 
marketing antidepressants. 

In this regulation you have changed what counts as non-market- 
ing and what is therefore not subject to the protections in the rule 
and they include, and I quote, “recommending alternative treat- 
ment therapies, health providers or settings of care to that individ- 
ual.” This is not counted as marketing. 

So basically that means that any communication that encourages 
a patient to use a product or a service related to health is not mar- 
keting, even if they are paid to make that communication. Now if 
that is not marketing, I do not know what it is and I am concerned 
that we have created a major loophole here that allows people to 
have their private records used for marketing purposes. And I won- 
der whether you could help me understand this change. 

Mr. Allen. I would be glad to try to do that, Senator. 

What we did in the rule, under the prior rule it prohibited the 
sale of personal health information without authorization or con- 
sent and required that it was a much — we thought that we have 
broadened the restriction or strengthened the privacy rights of in- 
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dividuals because what we did is that we more narrowly deter- 
mined what was going to be marketing and then required a direct 
authorization from the individual for marketing purposes. 

Under the prior rule what would happen is that there was a 
broader definition of marketing, but what had to happen is there 
had to be a disclosure of whether you receive remuneration or not 
from that purpose. In doing that, you had a situation that we were 
concerned about and heard about from the comments and that was 
if you had, for example, a provider that gets reimbursed for partici- 
pation in continuing medical education conferences — let us say they 
get travel reimbursement — to continue their medical education, if 
they then later had a client or patient that had a condition and 
they thought that that treatment regimen, that pharmaceutical 
product or that device might benefit them, they would have to go 
through an issue of determining whether they would be marketing 
to their client and to their patient. 

We have great concerns about again interfering with the treat- 
ment decisions that would be important to that patient-physician 
encounter. So therefore we broadened it and said that what was 
not marketing were issues that dealt with care coordination, issues 
that dealt with treatment, issues that dealt with disease manage- 
ment. These sort of items were not determined to be marketing. 

What we did do, though, is that we also limited marketing in the 
sense that where — if it was not related to treatment of the patient, 
that that patient would have to give prior authorization for some- 
one to send information to them in terms of marketing. 

So we think that we have approached this in a very balanced 
way that once again gives considerable weight to patients having 
access to information that affects their health and their determina- 
tion of what is in their best interest and their physician’s best in- 
terest of their health care outcomes. 

Senator Wellstone. Well, I am going to turn to Senator Frist. 
I mean, we want patients to have access to information that affects 
their health, but what we do not want is the sort of indiscriminate 
marketing of people’s private medical information. 

Mr. Allen. Certainly, and we think that we have narrowed this 
down sufficiently enough that in this regard we will defer in many 
cases to that patient and that physician, first of all, in that initial 
encounter, determine what those practices are, particularly as it re- 
lates to marketing, particularly as it relates to that patient’s treat- 
ment decision-making. But we then narrow the scope and require 
affirmative disclosure and seeking authorization for further mar- 
keting of materials that might be unrelated to the treatment of 
that patient. 

Senator Wellstone. I thank you. I think we have too much of 
a loophole here and I do not think you have narrowed it down the 
way we need to, but I certainly appreciate your thorough answer, 
and thank you. 

Senator Frist. 

Senator Frist. Thank you, Mr. Chairman. Both of those issues 
that were just talked about, consent and care and the marketing 
provisions, are very important and I think in the second panel we 
will be coming back to the marketing provisions in the testimony 
that was sent to us because it is important, I think, to make sure 
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that in this narrowing process that the net effect is not to weaken 
the privacy rule itself. 

But let me move to another topic, Secretary Allen, and that is 
on the research and public health and deidentification, issues that 
I mentioned in my opening statement. I very much agree and ap- 
plaud the proposed change that would reduce that burden, that 
overly restrictive burden on scientists and research entities by re- 
quiring a single combined consent form rather than the multiple 
consent forms that were initially proposed by the previous adminis- 
tration. 

I note that the department is also considering changes to the pro- 
posed rule’s so-called deidentification standard so that information 
could be used for research or public health purposes if it is facially 
deidentified, but still maintains or retains the important informa- 
tion for environmental health studies, infectious disease tracking. 
That would include things like zip code, date of service. 

I am very concerned that the previous administration’s 
deidentification standard is much too stringent and could signifi- 
cantly slow down, hinder or impede efforts to track infectious dis- 
ease outbreaks or to conduct public health investigations that 
again I mentioned in my opening statement that are important to 
surveillance, detection and response. It could also significantly 
skew the results of epidemiological research studies, which rou- 
tinely use admission dates and discharge dates and dates of death 
to track and help us more fully understand disease. 

In this area why is the administration seeking additional com- 
ment rather than proposing a rule up front, as it has with other 
areas in this proposed rulemaking process? 

Mr. Allen. We believe that research in the United States is by 
far the very best in the world. We believe that we want to make 
sure that that research is able to continue and exactly for what you 
have cited, Senator, and that is that we not only need to be able 
to track infectious diseases and gather population-based informa- 
tion so that we can plan; for example, trying to address chronic dis- 
ease. We are working very aggressively within the department, 
working with the National Institutes of Health and with the uni- 
versities around the country who are looking into these issues and 
we were very concerned that by, up front, us proposing what we 
do not have all the answers to, and that is how significant and 
what is the best method of deidentifying data so that you protect 
the privacy rights of the individual, but we do not impede the ad- 
vancement of research. So those were the balancing issues that we 
had to look at. 

Under the proposal we have laid out as an option for 
deidentification two alternative methods. One was to use what is 
known as basically an appropriate person who has knowledge and 
experience in statistical data and being able to say whether they 
thought that there was a greater risk or less risk of identifying the 
individual based upon the release of that information. You can get 
basically somewhat of a certification that that individual has made 
that decision or you had an alternative method where covered enti- 
ties would have to remove all 18 identifiers. 



23 


We were concerned about both of those and therefore we felt it 
probably was best to allow the research community to offer com- 
ment on that, rather than us try to — 

Senator Frist. Have you gotten feedback from the research com- 
munity? Their initial letters we have shared with each other and 
shared with you from the research community. Has it been long 
enough to get a feel for their response? 

Mr. Allen. We have gotten a few and because the comment pe- 
riod is still open I cannot close out the options for more coming in, 
but yes, we have begun to hear from the research community and 
we think that we are getting information to assist us in terms of 
how best to approach creating a limited data set, and that is really 
what the ultimate goal is, is what is the limited data set? That is, 
what are the limited number of identifiers that would be necessary 
to one, provide the information that we need for epidemiological re- 
search, et cetera, but, at the same time, to maximize the privacy 
protections of the individual so that their identity is not disclosed 
inadvertently or intentionally. 

Senator Frist. Let me return to this whole concept of consent 
and care, because as a physician, the previous administration’s pro- 
posed consent rules would have placed me as a physician or physi- 
cians generally in a very difficult position with respect to their pa- 
tients in terms of care delivery, but also from an ethical standpoint. 

It seems to me that it would have required me not only to pro- 
vide notice of my privacy practices, the standards and the guide- 
lines that would govern my own practice, but also would expressly 
allow me — in fact, it would have required me to withhold or deny 
treatment to those patients who failed or refused to provide me 
with a written consent. That is my interpretation just from reading 
it. It also seems to place patients in a difficult and an untenable 
position of signing a consent form or not receiving that care. 

You said in response to Senator Wellstone’s questions that this 
is one of the key areas in which the administration is making 
modifications to the rule. And again I know we are in this comment 
period. Are patients and physicians responding to that objection 
and to the proposals that have been made? 

Mr. Allen. That is certainly what precipitated us making the 
proposed change initially, is that we had heard from patients, phy- 
sicians and practitioners, all within the health care continuum. 
That would be providers, hospitals, plans, and patients. 

The problem with it was, as we have identified, it was unwork- 
able because what you were putting the patient in the position of 
having to do is having to choose between signing a form that you 
may or may not understand or agree with and getting care that 
you need immediately. It put you in that conundrum, but also it 
put the practitioner in an even more difficult position in that if you 
see that client more than once, you were almost put in the position 
of requiring a consent form be signed every time that patient came 
in because of the revocation requirement. You would have to track 
whether that patient revoked his or her consent. 

So it was very difficult to do that and from an administration po- 
sition it was very difficult for us to be able to address it because 
we can only address these issues once a year, so we would be put 
in a very difficult position that if there were a problem identified, 
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if we had made changes already that year, we could not take action 
to make another change in that area, whether it was consent or 
somewhere else, for another year, and that raises serious concerns 
for health and safety. 

Senator Frist. I see my time has expired. Let me just add that 
physicians and patients and others would ask me about emergency 
rooms in response to acute care, as well as the problems with phar- 
macies themselves. 

Thank you, Mr. Chairman. My time has expired. 

The Chairman. Thank you very much. 

Mr. Allen, thank you again. I know that you are very much 
aware that these consent requirements were not part of the origi- 
nal Clinton proposal and then after they had a great many hear- 
ings, public hearings, really the American people spoke and they 
spoke with such a sense of urgency about the importance of medi- 
cal privacy that they made these alterations and changes. 

Now you have made a different recommendation on the way to 
proceed on this. When you were considering what other changes 
should be there did you consider maintaining the proposal on con- 
sent and trying to deal with some of the principal areas — for exam- 
ple, the prescription drugs, the scheduling of doctors visits, which 
were really the primary kinds of areas, as I understand on the 
basis of public hearings, where they would have to be altered or 
changed? 

My question is why not maintain the consent form and adjust it 
to take in to consideration some of the legitimate issues and ques- 
tions, rather than going in a different direction, instead of going to 
a situation where they will be notified and they will be then on suf- 
ficient notice about what is happening to their medical records? 

Mr. Allen. Mr. Chairman, I think it is very important, as you 
point out, that with the prior administration they went from one 
position to a totally opposite position and we were — 

The Chairman. Granting greater privacy. You would not ques- 
tion that. 

Mr. Allen. I think what we would question is whether that ef- 
fected greater privacy in reality for the patient, from the patient’s 
perspective. 

The Chairman. Wait a minute now. You do not think an individ- 
ual having control over their medical records is greater privacy for 
that individual than the recommendation that you made? 

Mr. Allen. I think certainly an individual having greater control 
over the information about them is significant, balanced against 
them making sure — their primary reason for going to a physician 
is not privacy. Their primary reason for going to a physician is 
care. And if we put paperwork in the way of them accessing care, 
period, regardless of whether it is quality of care, the first idea is 
getting care. And the consent provisions as they were proposed, 
from the pendulum swinging from no consent provision under the 
prior administration to an absolutely mandatory written response, 
that pendulum swinging created the conundrum of putting patients 
at risk of not receiving any care at all. 

The Chairman. This is the committee that wrote that require- 
ment in, Mr. Allen. It is because this committee was concerned 
about the issues of privacy that we put it in. So we do not have 
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to be reminded about the requirements because we said that unless 
we were going to take action, that the administration was going to 
because it was such a sense of urgency. 

And what you are talking about now is the question of the pri- 
vacy of the records versus care. Of course, we probably have a dif- 
ference on this. We have taken notice of what has happened in the 
types of discrimination against individuals on the basis of genetic 
information and how that can be abused by insurance companies. 

Mr. Allen. Certainly. 

The Chairman. And we have taken notice, as well, in terms of 
particularly in the areas of mental health, as well as the marketing 
of various prescription drugs. 

Now I know, as I understand, you have made a response, I be- 
lieve to Senator Wellstone, about the kind of protections that you 
believe are going to be adequate to effectively protect patients from 
the abuses that can take place from marketing private information. 
Am I basically correct, that you believe that the provisions that you 
have, the new regulations, are going to protect people’s privacy 
from the marketing of sensitive information — for example, the 
needs that a person would have with regard to mental health or 
whether someone is an AIDS patient? 

Mr. Allen. We believe that we have, under this proposed rule, 
we have strengthened the marketing provisions to protect patients 
from the nonhealth disclosures of information that they would rea- 
sonably expect not to occur, whether it be in the case of HIV-AIDS 
status or the other inadvertent or intentional uses and misuses of 
that information. So we believe these proposed changes do effec- 
tuate that. 

In terms of what you cited, Mr. Chairman, you talked about ge- 
netics and mental health. I think it is important to note that as 
Senator Warner has already pointed out, as the secretary of Health 
and Human Resources of Virginia, Virginia is a State that protects 
its information, genetic information, from being used to discrimi- 
nate in employment. We think that that also is an area of high im- 
portance at the Federal level, that this rule does not deal specifi- 
cally with genetic information except for in terms of it prohibits an 
employer from using health-related information for employment de- 
cisions, period. It puts it as a prohibition with two very minor ex- 
ceptions that we have to recognize, and that is in the case of 
ERISA, where an employer is a group plan. But that employer 
must also take precautions not to use that information inappropri- 
ately for employment-related decisions. 

So we believe that we have struck the appropriate balance, which 
would weigh in favor of the patient getting care, and weigh also in 
favor of strengthening and giving the patient the maximum protec- 
tion of privacy of their information, but also not preclude them 
from having the ability to authorize, if they choose to, that infor- 
mation going other places, whether it is for marketing or other pur- 
poses. 

The Chairman. Well, I like what you say. The question is wheth- 
er this language does exactly what you say. Now I have the regula- 
tions right here and this, as I understand, will still make permis- 
sible recommended alternative treatments — this is one of the ex- 



26 


ceptions — therapies, health care providers, or settings of care to 
that individual. This is on page 14,790. 

Now that seems to me, you say that this is not marketing, even 
if someone actually is involved in those kinds of activities, as I un- 
derstand it. 

Mr. Allen. Senator, I do not have that paper in front of me. 

The Chairman. I apologize. 

Mr. Allen. If I understand what your question is 

The Chairman. Because this is not an enormously new section. 
As you are very much aware, there have been questions about the 
administration’s proposal and there have been serious questions 
about the rule about how sensitive information could be used and 
those that have been critical have referred to this language that 
says, in the particular regulations, the basic definition. The point 
is that the definition means any communication that encourages a 
patient to use a product or a service related to health is not mar- 
keting, even if they are paid to make that communication. If that 
is not marketing, I am not sure what is and I am concerned that 
we have created a major loophole here that allows people 

Mr. Allen. Not at all, Senator. We do not believe that this is a 
loophole. Again we approached this from the perspective of the pa- 
tient. If a patient has a particular condition, whether it be hyper- 
tension or allergies, for example, and the provider who is working 
with that patient has access to the latest and greatest information 
and product that that patient should know about, that that physi- 
cian believes that it is in the best interest of that patient to have 
an opportunity to choose to change from, we have made this lan- 
guage allow for that to occur. It does not interfere with the patient- 
physician encounter. 

What it does narrow it to is it has to be related to treatment for 
that individual and therefore that is what we have said is not mar- 
keting. We believe a patient should have access to that informa- 
tion. 

The Chairman. The fact remains that under this language, as I 
understand it, individuals may very well receive a publication from 
a drug company about alternative AIDS treatments or alternative 
AIDS care centers or alternative mental health advertising and it 
could be received in their home or in their place of business. 

Mr. Allen. First of all, I think I need to approach it that the pa- 
tient, stepping back, the patient has an opportunity to determine 
where that information will be received if it is going to be received. 

The Chairman. If they have gotten notice. 

Mr. Allen. Let me walk through it if I may, Senator. 

The Chairman. If they have gotten notice. 

Mr. Allen. Mr. Chairman, let me walk through if I can. At the 
very first encounter with that patient’s physician, that patient will 
have discussed or have the opportunity to know what those prac- 
tices are of that provider in terms of how they will use that infor- 
mation. Once that is determined and they agree with that — if they 
do not agree with it they can negotiate with that provider that that 
information not be used at all. If the provider says “No, we will use 
this information,” the patient has the choice to say “I will seek 
other care elsewhere.” 
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Once that is done, that information that you have described is 
information, if it is consistent with treatment, it can only be ap- 
proved for being sent to that patient by the covered entity, by the 
entity that has a relationship with that patient in terms of his or 
her treatment. 

Therefore, the idea that some unrelated company out there is 
willy-nilly getting access to that patient’s information, we believe 
that we have addressed that in this rule, that it would be inappro- 
priate, it would be a violation for information to end up in the 
hands of a third party that has no connection whatsoever either to 
the patient or to the patient’s provider and thereby we believe that 
we have narrowed and limited that type of unsolicited or unrelated 
solicitations to that patient. 

Where it can occur that a covered entity — let us assume it is a 
pharmacy that is working with a patient and in the case of disease 
management or in terms of a prescription being refilled — that phar- 
macist, the covered entity, can have a business association with a 
company that they have relegated or delegated that responsibility 
for notifying that patient that your prescription has come due and 
we think that that is an appropriate use of the information to serve 
the patient in terms of his or her treatment. 

The Chairman. Well, I think we need strong language that 
makes very clear the protections of the privacy of the patient in 
this area and we will have an opportunity to consider that. Thank 
you very much. My time is up. 

Mr. Allen. Thank you, Mr. Chairman. 

The Chairman. Senator Warner? 

Senator Warner. Thank you, Mr. Chairman. I think we have 
had a very constructive hearing this morning. It is not over yet, but 
the point I wish to make is that Congress really has not been able 
to resolve these tough issues since 1996 and basically we have just 
forfeited this to the successive administrations of two Presidents to 
try to solve it. 

I have to assume that this administration, as did the previous, 
in a very conscientious and nonpolitical way — there should not be 
any politics, in my judgment, involved in this thing if we can avoid 
it — is trying to do what is best for the health care industry and pa- 
tients. But these issues are at the very heart of our health care sys- 
tem and as I sat and listened I have one question and then one 
observation. 

The second panel will come forward hopefully with good con- 
structive viewpoints on how things can be changed. You still have 
an open mind, do you not? 

Mr. Allen. We are required to by law. 

Senator Warner. Well, what about just following the law to the 
T? Keep that open mind because I think a lot of conscientious peo- 
ple are working on this. And I guess my question would be many 
have stated that a much more targeted modification could have 
been made that would have improved access to care while main- 
taining stronger privacy protections. Did you consider a less restric- 
tive alternative in your deliberations? 

Mr. Allen. Senator Warner, yes, we did. We went through this 
and tried to find ways to make the consent provision work, but the 
bottom line, as we have already stated again, is that the issue was 
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not — the consent did not give a patient control over the informa- 
tion. It actually took control out of that patient’s hands and put it 
into the hands of the provider, who was forced to make a deter- 
mination of whether you sign a piece of paper or not and determine 
whether you got treatment. 

When we looked at it we tried to address the issues of the phar- 
macist. We tried to address the issue relating to specialists. We 
tried to address the issues related to emergency care. And we went 
down the list and again and again it came to a place where we ei- 
ther were going to have a rule that applied broadly or we would 
have a narrow exception that addressed every specialty group that 
existed out there. 

I think the goal that we were trying to achieve was one that had 
a flexible approach, but a consistent approach across the board, 
that took into consideration that we want to maximize two things. 
We wanted to maximize the patient’s ability to get care, but also 
wanted to maximize the patient’s ability to control their ability to 
have their public health information shared outside of treatment, 
payment and operations that reasonably a patient would assume 
that their information would be used for. 

Senator Warner. If all the best intentions that you and your col- 
leagues have manifested thus far simply prove in practice not to be 
workable, particularly the enormous costs that the hospitals and 
other health care deliverers, physicians are going to have to bear, 
you would be willing in the future to reopen this thing under the 
process prescribed by law? 

Mr. Allen. Yes, Senator. Under the law we would be allowed to 
revisit this issue once a year and that is why, that one point, under 
the rule, under the statute, we were only allowed one time a year 
to make changes. We were concerned that we would be put into a 
position that we would have made a change and then have other 
issues, unanticipated issues arise that were a detriment to the fur- 
therance of either access to care or took away from the privacy 
rights of the individual and would not be allowed to address them, 
and that was an issue that we felt very strongly that we needed 
to weigh in on the side of maximum flexibility so that we can work 
it throughout the year without having to use that one-time-a-year 
exercise to try to address every problem that arose in the interim. 

Senator Warner. Well, I think you have delivered the adminis- 
tration’s care very professionally and quite well. 

Mr. Allen. Thank you, Senator. 

Senator Warner. Time will tell. Thank you very much. Thank 
you, Mr. Chairman. 

The Chairman. Senator Clinton? 

Senator Clinton. Thank you, Mr. Chairman. I very much appre- 
ciate Senator Warner’s comments because I think all of us are look- 
ing for an appropriate way to handle this new world of information 
that is out there and to protect people’s right to privacy, especially 
the most personal and intimate information and details about 
them. So I am grateful for the recognition that this is probably a 
moving target to some extent that we will evolve a response to be- 
cause I feel very strongly about the right to privacy and I also un- 
derstand the need for health-related organizations to have access 
to good information. 
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But I must confess, Mr. Allen, I am confused and it may be that 
this is such a complicated, difficult area that it is hard to follow, 
but I just wanted to run through a couple of issues. 

As I understand what the administration is proposing, we no 
longer will require affirmative consent, but instead, an acknowl- 
edgement that information about privacy rights has been provided. 
Is that correct? 

Mr. Allen. It is correct in the sense that we do not require that 
a written consent be given. 

Senator Clinton. Right. 

Mr. Allen. It does not preclude an entity from seeking consent. 

Senator Clinton. Well, that is what is interesting to me because 
as I study what you are proposing, on the one hand we no longer 
have an affirmative consent process, but you do permit entities to 
go ahead and voluntarily seek consent. 

Mr. Allen. And there is a good reason for that. The reason is 
this, that in some cases you may have, for example, a hospital that 
already has consent for treatment, which is what we call informed 
consent. They may want to go ahead and still have consent for 
using that information that will be consistent with treatment. 
Therefore some entities may choose to seek a written consent from 
a patient, but what we have not done is we have not required ev- 
eryone to do that. 

Senator Clinton. But what you have done is when an entity 
does choose to require consent you have eliminated many of the 
consent requirements that would apply to the voluntary request for 
consent. 

Mr. Allen. And again the reason for that is because we are try- 
ing to maintain flexibility 

Senator Clinton. But you are trying to have it both ways. 

Mr. Allen. If you would let me answer my question? 

Senator Clinton. Mr. Allen, let me finish because I am trying 
to 

Mr. Allen. You asked me a question and let me answer the 
question. 

Senator Clinton. No, but let me pose the question. 

Mr. Allen. I thought you already did. 

Senator Clinton. No, I did not, Mr. Allen. 

Mr. Allen. Well, go for it. 

Senator Clinton. Thank you, dear. 

Now if you are on the one hand not requiring consent and then 
on the other hand when someone voluntarily pursues consent, you 
eliminate what the original rule had in for the provisions of con- 
sent, it seems to me you are going after consent from both ends. 
Either you offer it or you do not offer it, but when it is voluntarily 
chosen you undermine it. And I think if you look at what you have 
done to eliminate that in the name of flexibility, you have essen- 
tially vitiated consent even if someone voluntarily chooses to pur- 
sue consent. 

Mr. Allen. And your question is? 

Senator Clinton. Why have you done that? 

Mr. Allen. First of all, I would beg the question that we have 
not done that. I think what we have done is we have strengthened 
the process by one, when we remove mandatory written consent in 
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terms of the rule we have now enabled a patient to get care, plain 
and simple. But, at the same time, we have enabled a patient for 
the very first time under this rule to have information about the 
practices of the provider, to have opportunity to review those prac- 
tices and engage in a discussion about those practices and seek to 
restrict the uses of that information. That is all essential for pro- 
tecting and providing protections for an individual in terms of how 
that information is used. That does not happen. That will now hap- 
pen under this proposed rule that did not happen under the former 
rule. 

Beyond that, we have also provided again — we have not pre- 
cluded entities from seeking to get a written consent and that writ- 
ten consent, we are not dictating the confines of that because again 
it is voluntary. It is something that some providers may seek; oth- 
ers may not. But what we can guarantee is that that patient will 
get information and notice of the practices and procedures of that 
entity, and that is what we think is essential to the decision-mak- 
ing of the patient, but also to the continuity of the care that that 
patient will receive from that provider. 

Senator Clinton. But you are also eliminating the requirements 
that the covered entity inform the patient it is receiving remunera- 
tion for making the communication, you are eliminating the much 
more restrictive definition of marketing so that very often a poor 
patient will receive information and will not know that there is a 
financial interest in the entity providing it. 

Mr. Allen. What we have done is a couple of things, again, Sen- 
ator. One, in terms of consent, it only relates to what we have 
eliminated the consent for, is for treatment, payment and oper- 
ations. Anything beyond that, you must get the patient’s consent 
for the use of that information. 

In terms of remuneration, what you are discussing is how we ad- 
dress the issue of practices that, for example, I cited the example 
earlier. What we were concerned with is we have circumstances in 
which providers participate in continuing medical education con- 
ferences. Those conferences may be paid for by X company. What 
we do not want to have happen is having to have providers having 
to toil over whether or not they receive remuneration from a com- 
pany simply because later on they prescribe a product that they 
think is in the best interest of their patient, but because they had 
been given the opportunity to participate in this conference we did 
not want that to have to be considered as marketing because that 
is consistent with that provider’s treatment of the individual. 

So therefore we have broadened what we look for in terms of the 
definition of marketing, but we have limited it to that which is out- 
side of the treatment-payment continuum. 

Senator Clinton. Well, Mr. Allen, I have to confess that I am 
very disturbed by some of these changes because I think the prac- 
tical effect is to substantially weaken the privacy rule. I appreciate 
some of the difficulties that were brought to our attention in a 
hearing that we held last year and I certainly believe we should 
have targeted effective measures for dealing with some of those 
issues, like the ones that the pharmacists raise, but you have 
thrown the baby out with the bath, the best I can tell, and opened 
up a huge loophole for nearly any use of information without any 
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effective check on it because we will not have any proof that the 
patient has ever been adequately informed. 

I think it is unrealistic to believe that many patients are going 
to be that well skilled in the nuance of these rules to even know 
the questions that they are supposed to be asking and I think we 
have an obligation to err on the side of privacy. And I think that 
this rule, the recommended changes to the rule really go in the op- 
posite direction. 

So I will be very interested in following what you are proposing 
on this, but I think that the witnesses who will be coming to ap- 
pear before us in the next panel have some very specific issues and 
I hope that you and your colleagues will listen very carefully be- 
cause I think it would be quite useful to take another stab at try- 
ing to figure out how to do what you are trying to do in the name 
of flexibility without undermining privacy. 

Mr. Allen. Senator, I take your point very seriously. We are 
here to listen. We are in a comment period and we expect to get 
many comments. In fact, we probably will get, particularly after 
this hearing, a lot more comments and we welcome that. But I 
think from the perspective that we have taken, we tried to ap- 
proach this from the patient’s perspective. While you may think 
privacy rights are the most overriding issue, we stepped back and 
thought that it was far more important that in seeking to maxi- 
mize an individual’s right of privacy that it was far more important 
that we ensure that we do nothing, that we do absolutely nothing 
to impede their access to care because having a right to privacy 
means very little to a person who is desperately needing care, 
whether it be the mother who is 

Senator Clinton. You are not going to get any argument from 
any of us about that, Mr. Allen. We are all in favor of care. It is 
just that we are concerned that in the name of care, profit has a 
very big role in a lot of the efforts to use information available to 
health entities. There has to be a line drawn and you have ended 
up on one side of the line, and I think some of us are more com- 
fortable on the other side of the line, but that is to be worked out 
and discussed and I appreciate your willingness to listen to the 
comments that will be coming to you. Thank you. 

Mr. Allen. Certainly. 

The Chairman. Senator Enzi. 

OPENING STATEMENT OF HON. MICHAEL E. ENZI, U.S. 

SENATOR FROM THE STATE OF WYOMING 

Senator Enzi. Thank you, Mr. Chairman. I would ask consent 
that a statement that I prepared be placed in the record. 

The Chairman. Without objection. 

Senator Enzi. Thank you. I appreciate your holding this hearing. 
This is an issue of tremendous concern to everyone that I know. I 
know that we as a committee deferred to the agency to go ahead 
and do the rules. They did those; they occurred at the end of the 
last administration and from comments that I am receiving, I am 
quite sure that that administration would have reviewed these, as 
well, and I so pleased that they have been reviewed and revised by 
the current administration. 
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Now I know that privacy is of extreme importance to everybody. 
I saw a survey when we were doing banking privacy and it said 
that 94 percent of the people in the United States were concerned 
about their privacy — and I was wondering what was the matter 
with the other 6 percent. 

But on the medical privacy rule I have had a lot of comments 
when I’ve been in Wyoming. My prime concerns with the rule that 
we had, I heard from pharmacists. They are very concerned about 
elderly people having to come in and sign a form so that somebody 
can pick up their prescriptions for them, yet they are not even able 
to come in and sign the darn form. 

But we have some areas of Wyoming that have even bigger prob- 
lems than that and I suspect that we are not alone in the country, 
although we may be. Cell phones have not gotten to all of Wyoming 
yet. I have people that rely not on telephones that are party lines, 
but on radios that are very definitely party lines because anybody 
can pick up the transmission. In fact, they rely on that feature. Ev- 
erybody leaves their radio on and if somebody in that vast area of 
the back country is headed to town, they put out the word that 
they have a couple of things they need them to pick up when they 
are in town. They have relied on that for years and it creates a tre- 
mendous sense of community. 

But the privacy rule does not allow that sense of community. 
They are not even sure whether they are violating the law by let- 
ting somebody know that they need a prescription picked up. 

I hear from the doctors, as well. When the final rule first came 
out I had a number of them that said, “to me it looks like I have 
to violate the law,” again, because of our distances and our commu- 
nication, so “Senator, what can you do to protect me when I violate 
this rule that you allowed to go into place?” When they put it that 
way I have a lot of sympathy for them. 

I also understand what the people are talking about when they 
talk to me and it has primarily been pharmacists and some doctors 
and hospitals. 

I appreciate very much your comments about the comment pe- 
riod not being up. One of the difficulties I have had with agencies 
has been when they have obviously failed to read the information 
that they were presented with and had already closed their mind — 
before they wrote their rule — about how the rule was going to come 
out. So however it comes out, I commend you on your openness on 
the rulemaking process. 

[The prepared statement of Senator Michael Enzi follows:] 
Prepared Statement of Senator Michael B. Enzi 

Mr. Chairman. I want to thank you for promptly holding this 
hearing on the new proposed rule to protect the privacy of medical 
records. 

This Committee mounted a serious bipartisan effort in the last 
Congress to advance privacy legislation. While we were not able to 
come to agreement on a handful of provisions, there was significant 
agreement on the details of the right policy for protecting people’s 
medical information. I believe such protection is achievable while 
also allowing the appropriate use of medical information to improve 
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the health status of all Americans through research and the devel- 
opment of better medical management protocols. 

The Clinton Administration took our legislative draft and used it 
as a foundation for a rule-making on medical records privacy. Hav- 
ing been issued in the final days of that Administration, President 
Bush was placed in the position of having to review the rule when 
he took office. 

Under Secretary Thompson’s leadership, the rule underwent ad- 
ditional modifications. Which brings us to today. With that, I’d like 
to welcome Deputy Secretary Claude Allen, who will be explaining 
the latest iteration of the rule. I also welcome the other witnesses 
whose expertise in medical privacy has helped shape this policy 
over the last 4 years. 

I will comment very briefly on the new proposed rule. First, let 
me say that I support the new rule and believe it will afford strong 
privacy protections for medical information. I applaud the Adminis- 
tration’s effort to carefully balance “protections” with “progress” in 
medicine. I look forward to the comments solicited in the preamble 
with respect to de-identified health information. 

The new rule was modified to correct the old rule’s unintended 
consequence of threatening access to care and reducing the quality 
of care patients enjoy today. The goal of a privacy rule should be 
to enhance access and quality, not undermine these basics of good 
health care. 

Several other important modifications to the rule can be summa- 
rized by the phrase “administrative simplification.” Changes to 
make the privacy rule patient-friendly by making it user-friendly 
should be supported by this Committee. After all, the statutory 
mandate to develop a medical records privacy rule was included in 
the Health Insurance Portability and Accountability Act (HIPAA). 
HIPAA also included requirements on both the private health care 
market and certain public programs to administratively simplify 
health care transactions. Since HIPAA was drafted by this Com- 
mittee, it’s only logical that we should support all efforts to make 
the privacy rule consistent with the our intent to simplify adminis- 
trative burdens within the health care system. 

Mr. Chairman. I look forward to the testimony and again thank 
you for calling this hearing. 

Senator Enzi. Could you give me some of the factors that were 
motivating factors behind the changes that you made to the privacy 
rules and the more general comments you may not have been able 
to make? 

Mr. Allen. Certainly. When we received the comments — we re- 
ceived over 11,000 comments in about a 30-day period when we put 
these particular sections of the rule back out for additional com- 
ment and we had various — we have addressed somewhat earlier 
some of the issues that we are addressing. The one example that 
continued to come up was pharmacists not being able to fill pre- 
scriptions without having the patient to come in prior to the infor- 
mation being transmitted to the pharmacy and signing a consent 
form. That clearly was an impediment to care, to access to care. 

We then heard from specialists who were concerned about their 
practices and being impeded in providing care to the patient. Those 
were the sorts of examples that we had, also. Then we went down 



34 


the list from there. We had emergency care providers who not only 
would have the burden of having to get a consent form, but the na- 
ture of their work precludes them from getting the consent when 
they first pick up the patient, but then would require them to dis- 
rupt their normal practices by having to double back to try to seek 
that access. 

The area that we heard a lot of comments about was in this area 
that we all have great concerns about, and that is marketing, par- 
ticularly when the marketing is using your health-related informa- 
tion for nonhealth purposes. Nobody wants to receive an unsolicited 
advertisement or offer that discloses your public health condition or 
your health condition when you did not consent to that or were not 
aware that that was going to occur. So we began to look at ways 
of strengthening the marketing rule and we did that. 

We also had concerns raised about the role and the rights of mi- 
nors vis-a-vis their parents in terms of access to information. In 
that area what we did there is that we made very clear that the 
Federal law defers to what the State law is. So whatever the State 
law is in this area, we defer to that. If there is no law in that re- 
gard or if the law is unclear, we defer to the practice of that State 
that looks to the health professional in exercising his or her discre- 
tion and access. But we also made sure, just as most States, to pro- 
vide that, in cases of emergencies, physicians, and providers can 
provide information on a minor in the case of an emergency and 
we wanted to reflect that. 

So we tried to approach all of these issues. Research was another 
area where there were comments that came in and in that area we 
saw that we did not have all the answers. So what we have done 
is we have made an approach to how to address the issue of re- 
search so that we do not impede research going forward but, at the 
same time, finding out how do we get the information that is need- 
ed for the research to go forward, but also protecting the privacy 
rights of the individual so that they are not identified and their in- 
formation is not disclosed. 

Senator Enzi. I certainly appreciate the thorough job that you 
are doing on it, particularly on revisiting things that you revised 
before it all becomes final. It is a breath of fresh air and will help 
take care of some of the people in our State. Your explanations 
today have been clear enough that people will understand this con- 
flict between privacy and getting care and I know in all those cases 
they would opt for the care. Thank you. 

Mr. Allen. Thank you, Senator. 

The Chairman. Senator Gregg. 

Senator Gregg. Mr. Chairman, thank you. 

Mr. Allen, I unfortunately had to depart for a while, but I did 
have a chance at my other meeting to listen to you and I thought 
your presentation was excellent. 

Going back to this consent issue, I just wanted to talk about the 
unintended consequences of this mandatory consent language. It 
seems to me that I can think of three instances which would create 
really inappropriate events as a result of mandatory consent. One 
would be my situation, where if I went to a doctor, the only time 
I would ever go to a doctor is if I really had to go to the doctor. 
I cannot think of anything worse than sitting, other than maybe 
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going to BWI and waiting to get through security. But when I walk 
into that doctor’s office I have one thing on my mind and that is 
getting better. And the odds are he could put anything in front of 
me if it’s reasonable. He could even ask that I sign off that the Red 
Sox would never win the World Series ever and I would probably 
sign it. 

I think that therefore the relevance of a mandatory consent is 
probably limited because your reason for going to a doctor is not 
to sign a form; but to get better. 

Second, I am concerned about the position it puts the doctor in. 
You have alluded to this, but it seems to me that there are certain 
laws that say a doctor must treat you, starting with his Hippocratic 
Oath, but also specific Federal laws in the area of emergency care, 
for example, and State laws. The doctors could find themselves in 
the untenable position of having a patient come in who may be one 
of these Wyoming types, you know, independent, who just refused 
to sign anything. The patient needs to be treated, and the doctor 
treats because they are a good doctor and they have to treat under 
the law if it is an emergency and they have to treat under their 
oath if it is not. What then does the doctor do? What does the doc- 
tor do with the information? He may not even be able to send the 
patients’ information to a lab. 

Mr. Allen. That is right. 

Senator Gregg. And physicians certainly have opened them- 
selves up to all sorts of liability in these situations. 

So this mandatory consent creates the unintended consequence of 
putting the doctor in an improbable and inappropriate position. 

And third, I am concerned that it may create an atmosphere 
where people could use the mandatory consent to harm the pa- 
tient’s rights. I mean, mandatory consent could end up with lan- 
guage in it, although there are limitations on this, but it could end 
up with language in it which contractually would significantly pro- 
scribe what a patient’s rights are and what they are permitted to 
do. And, as I said, if you are going in to get care, you are going 
to sign that consent unless it is truly outrageous on its face, or un- 
less you happen to be an attorney. 

So I see those three instances as examples of why mandatory 
consent probably makes no sense and why your approach is much 
more logical to this effort. But we do have the anomaly, I think, 
of the American Medical Association having been the ones who, I 
think, forced the Clinton Administration to back off from its origi- 
nal proposal, which was no mandatory consent, which was probably 
a more logical position. 

So I’m wondering if it would be appropriate for this committee 
to pass a regulation or rule or law, if the Chairman brings this for- 
ward, that says that if you are a member of the American Medical 
Association, then you shall be subjected to mandatory consent. Is 
that reasonable? 

Mr. Allen. I would say for those individuals who are members 
of the American Medical Association who might otherwise have 
commented or maybe members of other associations that support 
the notice provisions that we have, if we could exclude them you 
might want to find those members who would solely want to 

Senator Gregg. My question was fairly rhetorical. 
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Mr. Allen. Mine was, as well, my comment. 

I think the issue there, Senator, if I may, in all seriousness, I 
think the issue there is I believe that with proper education, under- 
standing of the rule and the way the rule works and brings an ap- 
propriate levity to the issue of privacy, but also the significant im- 
portance of access to care, I think that we can work with the Amer- 
ican Medical Association and other organizations by educating 
them on how this rule ultimately will work to the benefit of the pa- 
tient in both areas and making sure that they have the ability to 
have the prior consent, prior notification, prior authorization for 
use of their information when it is not related to treatment, pay- 
ment or operations but, at the same time, to not be precluded from 
getting that care when it does relate to those areas. 

So I think in all seriousness I think we have an opportunity to 
educate, as well. 

Senator Gregg. I appreciate your presentation. I think it was a 
very effective representation of the administration’s position. 
Thank you. 

Mr. Allen. Thank you, Senator. 

The Chairman. Thank you very much. 

[The prepared statement of Claude Allen follows:] 

Prepared Statement of Claude A. Allen 

Chairman Kennedy, Senator Gregg, distinguished Members of the Committee, it’s 
a pleasure to be with you. I welcome the opportunity of appearing before you to talk 
about what we’re doing at the Department of Health and Human Services to fulfill 
President Bush’s goals of protecting both vital health care services and the con- 
fidence of every American to know that his or her personal medical records will re- 
main private. Today, I’m going to discuss the Standards for Privacy of Individually 
Identifiable Health Information (the Privacy Rule) and the proposed modifications 
to those standards that the Department published in the Federal Register for public 
comment on March 27, 2002. 

President Bush, Secretary Thompson and I believe strongly in the need for work- 
able and effective federal protections to ensure patients’ privacy. Americans have be- 
come increasingly concerned about the privacy of their health care information. Fear 
of misuse or abuse of sensitive medical information has deterred some patients from 
fully utilizing the necessary health care services available to them. When the Pri- 
vacy Rule is fully implemented, we will have successfully completed our goal of giv- 
ing American patients what they want: confidence that the privacy of their medical 
records will be protected and that our providers and health system will be able to 
deliver them the most advanced, and efficient quality care available. Because of the 
Privacy Rule, all Americans will, for the first time: 

• Have the right up front the first time they see a doctor or health care provider 
or enroll in a health plan to be notified of their privacy rights and how their infor- 
mation may be used or disclosed by the provider or the plan, so they may under- 
stand and discuss concerns with these providers and plans and get care that is con- 
sistent with their own personal preferences; 

• Have the right to access their own medical record and to have their record cor- 
rected, if it contains incorrect or incomplete information; and 

• Have control over most non-routine uses or disclosures of their information, in- 
cluding requiring written permission before their information is shared with em- 
ployers for employment decisions, shared with life, disability or other insurers, or 
used for marketing. 

In April 2001, President Bush acted boldly to put into place these strong patient 
privacy protections. With laws already in effect to protect personal information con- 
tained in bank, credit card, and other financial records, and to require notification 
of Americans about how their electronic data are used for providing these financial 
services, the American public should not be made to wait any longer for protection 
of the most personal of all information — their health records. At the same time, le- 
gitimate concerns were raised about whether parts of the Privacy Rule would com- 
promise patients’ access to care or the quality of that care. To address these con- 
cerns, the President directed Secretary Thompson to recommend appropriate modi- 
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fications to the Rule that would identify and correct any unanticipated consequences 
that might harm patients’ access to care or the quality of that care while still pro- 
tecting patient confidentiality. 

The notice of proposed rulemaking published on March 27, 2002 represents the 
results of the Department’s review of thousands of public comments, recommenda- 
tions from public hearings on the Privacy Rule, as well as the letters and input from 
a broad and diverse group of lawmakers, interest groups, health care leaders, and 
individual citizens regarding the Rule. The changes that we have proposed will 
allow us to ensure strong protections for personal medical information without nega- 
tively affecting access to care. These recommendations were decided upon only after 
seriously examining the feasibility of all possible options. They are common-sense 
revisions that are intended to eliminate serious obstacles to patients getting needed 
care while, for the first time, providing federal privacy protections for patients’ med- 
ical records. 

I would like to review briefly the major areas of the Privacy Rule where changes 
are being proposed and explain the Department’s reasons for proposing these ac- 
tions. At the end, I will be happy to answer any questions from the Committee 
Members on these or any other of the proposed changes. 

Consent and Notice 

First, the Department has proposed a workable solution to the consent and notice 
provision that achieves strong privacy protections and ensures access to care. The 
original regulatory proposal published in November 1999, prohibiting a covered 
health care provider from obtaining consent for uses and disclosures for treatment, 
payment and health care operations, lacked a workable process to engage the pa- 
tient to consider the providers’ privacy practices, an essential part of adequately 
protecting privacy. The final regulation published in December 2000, mandating 
consent for these routine uses and disclosures created barriers to timely access to 
care. 

The Department’s proposal is two-fold: it would enhance the obligation that cov- 
ered entities give notice of their privacy practices to their patients, by requiring a 
good faith effort to get patients to acknowledge, in writing, receipt of the notice of 
privacy practices, and it would allow providers to obtain consent for these routine 
uses. This change means only that under the Privacy Rule, patients are no longer 
required to provide consent for their doctors, hospitals, and other direct treatment 
providers to use and disclose information for those core activities that are essential 
elements of providing health care. Patient authorization is still required for most 
other purposes, such as marketing and disclosures to employers for employment 
purposes. Patients also would continue to have the right to request restrictions on 
uses and disclosures of their health information and would be able to enter into 
agreements with providers and health plans to further protect the privacy of their 
health information or to further limit the use of that information. 

We believe this approach provides new, meaningful patient privacy protection 
without impeding the delivery of high-quality care that patients need. The President 
and Secretary Thompson are dedicated to improving the delivery of quality care to 
patients, and the December 2000 privacy rule posed serious problems for patient ac- 
cess to care. Indeed, the comments received in March 2001 revealed a multitude of 
unintended consequences threatening patient safety and quality care. We also heard 
from many of you on this committee, Mr. Chairman, and other Members of Con- 
gress, all asking that we address these unintended consequences. Most importantly, 
we heard from health professionals that the proposed regulations would have seri- 
ous consequences for the quality of patient care. 

I believe it was widely recognized that the consent requirements interfered with 
patients getting prescriptions filled in a timely manner; the ability of hospitals, spe- 
cialists, or other practitioners to act timely to start care for patients referred from 
other providers; the ability to provide treatment over the telephone; and emergency 
medical providers. 

Potentially, the Department would have to repeatedly modify the privacy rule as 
each new barrier was identified. As many of you may recall, HIPAA allows modifica- 
tions to the privacy rule standards only once yearly, thus the Department would be 
in the untenable position of knowing of serious problems that threatened patient 
care, but being unable under the law to correct these threats to patient care on a 
timely basis. 

Ultimately, we tried to put ourselves in the shoes of the patient and do what 
made the most sense from his or her perspective. And, we believe that the patient 
most values unimpeded access to quality care, generally limiting the use of his or 
her information to what is necessary to provide quality care, fair notice of how his 
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or her information will be used, and more control over where other than to his 
health care providers and health plans his information goes. 

Indeed, requiring individual written consent for the routine uses necessary to pro- 
vide care give the patient little actual control over that information. When coupled 
with the provider’s ability — and even necessity — to condition treatment on the sign- 
ing of a general consent form, the patient is forced to choose between signing the 
consent form and not receiving care. In the end, we determined that the risk of com- 
promising patient care and safety outweighed any benefit of a mandatory consent 
process. We believe the backbone of patient privacy rights is preserved and 
strengthened and the spirit and intent of the mandatory consent is fulfilled by the 
written notice requirement. During each patient’s first meeting with a provider, 
they will receive a notice of their privacy rights, as well as the providers’ privacy 
policies, and how their information will be used. This notice requirement creates for 
the first time, a formalized process where the patient will pause and reflect on the 
value of the privacy of their medical records and be able to discuss any concerns 
that they have with the provider. 

Health Care Communications and Practices 

Second, the proposal ensures the strong protections for all forms of health infor- 
mation, including oral communications. Plans and providers will be obligated to 
make reasonable efforts to limit the use and disclosure of protected health informa- 
tion to the appropriate minimum necessary to accomplish the intended purpose. We 
have, however, made clear that a doctor could discuss a patient’s treatment with 
other doctors and health care professionals without fear of violating the rule if they 
are overheard if reasonable safeguards are in place. As long as a covered entity met 
the minimum necessary standards and made an effort to protect personal health in- 
formation, incidental disclosures — such as another patient overhearing a fragment 
of conversation — would not be an impermissible disclosure. This proposed change 
does not in any way permits gossiping or other careless use of patient information. 

Research 

Third, the proposals would simplify the research provisions, removing many of the 
burdens on research and covered entities alike, thereby continuing to promote the 
highest quality of care that Americans have come to expect and have a right to de- 
mand and so that the nation’s world-renowned medical research can continue at a 
vigorous pace, but with renewed confidence in patients that their personal medical 
information will be protected. The proposal would make it easier for patients who 
participate in research to understand all dimensions of the study, including privacy 
dimensions, through the use of a single combined form, instead of having multiple 
consent forms — one for informed consent to the research and one or more related 
to information privacy rights. It streamlines requirements for obtaining a waiver of 
individual permission to access records for research purposes, so as to more closely 
follow the requirements of the “Common Rule,” which governs federally funded re- 
search. These simplified provisions would, nonetheless, continue to include privacy- 
specific criteria and would apply equally to publicly- and privately-funded research. 

The Department is also seeking comment on the feasibility of making health in- 
formation that does not directly identify the patient more readily available for re- 
search and limited other purposes. For example, many researchers and others who 
study the quality or accessibility of care have indicated a need for information that 
does not facially identify the patient, but nonetheless contains certain identifiers 
such as zip code or dates of admission and discharge. Under the Privacy Rule, the 
information would not be “de-identified.” In environmental cancer studies, zipcodes 
are often important for environmental health research. Duration of illness is impor- 
tant for infectious disease studies. Through the comment process, the Department 
is seeking a consensus as to how to construct a “limited data set” that could be dis- 
closed for such purposes, and as to what type of information should continue to be 
excluded from the proposed “limited data set” because it would directly identify an 
individual. In addition, to further protect privacy, we propose to condition the disclo- 
sure of the limited data set on a covered entity’s obtaining from the recipient a data 
use or similar agreement, in which the recipient would agree to limit the use of the 
data set for the purposes for which it was given, as well as not to re-identify the 
information or use it to contact any individual. 

Parents and Minors 

Fourth, we have made limited changes to clarify that State law governs disclo- 
sures of a minor’s health information to a parent or guardian. The rule and the pro- 
posed modification only address the rights related to a minor’s medical records; nei- 
ther has any impact on a minor’s ability to obtain certain medical services under 
State law without parental consent. The intent of the current rule was never to 



39 


override State laws that set standards for parental access to their children’s medical 
records. In cases where State law is silent or unclear, the revisions would preserve 
physician flexibility and standards of professional practice by permitting a health 
care provider to use the discretion afforded by the State or other law to provide or 
deny a parent access to such records. Just as State law now determines when a 
minor may be treated without parental consent, so too would the revisions effec- 
tively defer to State law on access to and control of the minor’s information that 
results from such treatment. 

Marketing 

Fifth, the proposal explicitly prohibits using or disclosing a patient’s information 
for any marketing purposes without the individual’s express authorization. At the 
same time, the proposal would ensure that doctors and other covered entities could 
continue to communicate freely with patients about treatment options and other 
health-related information, related to their treatment, including disease-manage- 
ment programs sponsored by the entity. The doctor may or may not receive remu- 
neration. This proposal would strengthen the marketing provisions by requiring an 
individual to specifically authorize certain disclosures of health information that 
otherwise would be permitted without such authorization under the privacy rule. 
For example, a health plan would be prohibited from giving a pharmaceutical com- 
pany its list of all enrollees for the company to send all patients information about 
their products without obtaining each individual’s authorization even if that com- 
pany is a business associate of the health plan. However, the proposal would con- 
tinue to allow use of information for the health plan to send enrollees with diabetes 
information about a diabetes disease management program that may help them 
manage their illness. Patients want information about their treatment and treat- 
ment alternatives and the benefits and services offered by their plans and health 
care providers. Patients do not want their personal information used for unsolicited 
marketing pitches that have nothing to do with their care. This is the same common 
sense approach that governs all other revisions to the Rule: patients should have 
the right to get the best care possible, and to have their sensitive medical informa- 
tion protected while doing so. Other Provisions 

We have also proposed changes that would: 

• Clarify and encourage public health reporting of adverse events and other post- 
marketing surveillance of FDA-regulated products or services; 

• Provide model business associate contract provisions and allow up to one addi- 
tional year for most covered entities to make their business associate contracts com- 
pliant with the Rule; and 

• Permit the sharing of information among health care providers and health 
plans for each others’ treatment, payment, and quality-related health care oper- 
ations. 

Conclusion 

I want to assure you that Secretary Thompson and I are committed to working 
with this Committee and Congress, and with experts and the public, to provide the 
strongest possible protections for medical information while preserving access to and 
quality of health care. We look forward to specific comments on the proposed modi- 
fications to the Privacy Rule and we remain open to additional ideas for strengthen- 
ing privacy protections while encouraging high quality care. But it is past time to 
move forward. Privacy rules have been drafted for many years, and inaction pre- 
vents needed medical privacy protections from being put into place. The need to get 
strong privacy protections in place now is a commonly held goal that transcends 
partisan politics. We owe the American people a privacy rule that works to allow 
them to continue to get the high-quality care that they expect they deserve no less. 
Thank you again for the opportunity to be here today. I appreciate your interest and 
commitment and I am happy to answer any questions. 

The Chairman. We have a panel now that we will hear from. 
Janlori Goldman devoted her career to privacy and civil liberties 
issues, founder and director of Health Policy Project, Georgetown 
University Institute of Health Care Research, also cofounded Cen- 
ter for Democracy and Technology, a civil liberties organization 
committed to preserving free speech and privacy on the Internet. 
Janlori has been a leader on the privacy regulations since day one 
and we look forward to the testimony. 
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Sam Karp, chief information officer, California Health Care 
Foundation, coordinates the foundation’s initiatives in health care 
privacy, worked on new business models, technology-based ap- 
proaches for sharing health information. Mr. Karp is working to 
understand how providers are working to implement this regula- 
tion. 

John Clough currently is the chairman of the Division of Health 
Affairs, Cleveland Clinic Foundation. Previously the doctor served 
as chairman of the Department of Rheumatic and Immunologic 
Disease and we are pleased to get his input on this important 
issue. Senator DeWine will be here just momentarily to give us an 
additional introduction. 

Dr. Richard Harding, president of the American Psychiatric Asso- 
ciation. Serves on the Subcommittee on Privacy, Confidentiality 
and the National Committee on Vital Health Statistics in the De- 
partment of Health and Human Services and he will be sharing his 
thoughts on the impact of privacy on health care providers. 

Mr. Karp. 

STATEMENT OF SAM KARP, CHIEF INFORMATION OFFICER, 
CALIFORNIA HEALTHCARE FOUNDATION 

Mr. Karp. Good morning, Mr. Chairman, Senator Gregg and 
Members of the committee. My name is Sam Karp. I am the chief 
information officer of the California Healthcare Foundation. The 
foundation is an independent philanthropy committed to improving 
California’s health care delivery and financing systems. Thank you 
for the opportunity to testify today on an issue we believe is fun- 
damental to improving the quality of health care. 

Over the past 5 years, the California Healthcare Foundation has 
supported a range of activities to heighten awareness and under- 
standing of the need to establish strong rules to safeguard the con- 
fidentiality and security of personal health information both on and 
off-line. 

In December of last year the foundation commissioned an inde- 
pendent survey of health care organizations operating in California 
to see how implementation efforts are proceeding under the HIPAA 
privacy rule. The survey was intended to distinguish between the 
real and perceived barriers to compliance and to use the results to 
inform policy-makers and the general public debate. While I have 
submitted written testimony that details the survey findings, I 
would like to highlight two of the key findings here this morning. 

First a few words about the survey. The survey was conducted 
for the foundation by the National Committee for Quality Assur- 
ance, NCQA, and the Georgetown University Health Privacy 
Project. It was fielded in January and February of this year just 
prior to the March 27 proposed rule modifications issued by HHS. 
The survey represents the views of 100 health care organizations 
that do business in California, including 29 hospitals, 19 physician 
organizations, 26 health plans, and 26 other organizations, includ- 
ing disease management, behavioral health organizations, medical 
management groups, clearinghouses and large research organiza- 
tions. The organizations that took part in the survey are fairly rep- 
resentative of entities covered by the privacy rule and some of the 
organizations operate in States other than California. 
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With respect to implementation progress, if you refer to Table 1 
in my testimony or the chart to your right, you will see the 
progress being made in implementing the privacy rule in Califor- 
nia. Ten months into the 2-year compliance period, when asked 
about specific actions taken toward implementation, 81 percent of 
the respondents reported having developed a strategic plan. Sixty- 
seven percent indicated they have already conducted a gap analy- 
sis. Fifty-two percent have developed a readiness initiative and 12 
percent of the respondents reported already completing their readi- 
ness activities. 

As the chart indicates, hospitals report having made the most 
progress to date, with 96 percent having developed strategic plans, 
75 percent having conducted gap analyses, and 67 percent develop- 
ing readiness initiatives. Physician groups report having made the 
least progress. 

Also with respect to implementation progress, 77 percent of the 
respondents to the survey indicated that they had designated a pri- 
vacy official, as defined by the rule. Eighty-seven percent of those 
that had designated a privacy official also report they had identi- 
fied the human resources within their organizations needed to pre- 
pare for HIPAA compliance. 

Now let me turn for a moment to the consent requirement. If you 
will refer to Figure 1 in the testimony, which is also in the chart 
on your right, this chart indicates that a majority of respondents, 
51 percent, report that the consent requirements are somewhat 
workable. Another 29 percent reported that they were either work- 
able or very workable, while 20 percent reported that they were 
less than workable or not workable at all. Hospitals and physician 
groups, those organizations directly affected by the consent require- 
ments, were more likely than their counterparts to report that the 
requirements were somewhat to very workable, 90 percent and 79 
percent respectively. 

If you refer now to Figure 3, also on the chart to your right, the 
survey found that those respondents that report having developed 
a strategic plan, conducted a gap assessment or completed their 
readiness initiative — in other words, those organizations that were 
further along in their compliance effort — were also more likely than 
their counterparts to report that the consent requirements were 
workable. 

There were a variety of open-ended comments about the consent 
requirements. Let me just mention a couple. Although the final 
rule required consent to be obtained only one time, many respond- 
ents expressed confusion and concern about their ability to track 
revocations and limitations of consent. There was also concern as 
a result that some covered entities would require patients to sign 
a consent form every time they sought treatment and that patients 
would be overwhelmed and confused as a result. 

There was also confusion expressed about whether one covered 
entity could share quality assessment information with another 
covered entity, but HHS provided modifications that have now 
made that clear, that as long as those two entities have an individ- 
ual relationship with the patient, they can share that information. 

There are two take-aways from this survey. First, there is still 
considerable work to be done, as we have heard this morning, to 
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address areas of confusion, misinterpretation, and to make the 
rules generally more workable. On the other hand, the survey pro- 
vides clear evidence, some 14 months before the compliance date, 
that progress is being made in implementation. In fact, those orga- 
nizations that I mentioned a moment ago that are further along in 
their compliance efforts are finding the rules more workable. 

The Chairman. I will give you another minute or two. 

Mr. Karp. So to remove a key provision of the rule at this time 
does not seem justified. 

Again, thank you for this opportunity to testify today. I am 
happy to answer any questions you may have. 

The Chairman. Enormously interesting study. 

[The prepared statement of Mr. Sam Karp follows:] 

Prepared Statement of Sam Karp, Chief Information Officer 

Good morning. Mr. Chairman, Senator Gregg, and members of the committee, my 
name is Sam Karp. I am the Chief Information Officer of the California HealthCare 
Foundation. The Foundation is an independent philanthropy, committed to improv- 
ing California’s health care delivery and financing systems. Thank you for the op- 
portunity to testify today on an issue we believe is fundamental to improving the 
quality of health care. 

Over the past 5 years the Foundation has supported a range of activities — from 
research studies, surveys, educational publications, guides, workshops and con- 
ferences — to heighten awareness and understanding of the need to establish strong 
safeguards to protect the confidentiality and security of personal health information, 
both on- and offline. Our work is motivated by the belief that unless patients, and 
consumers generally, have confidence that the confidentiality of their health infor- 
mation is guaranteed, progress being made to develop better information systems 
to improve care and monitor and assess the quality of care will be thwarted. [The 
Foundation’s work on health privacy can be found on our Web site at www.chcf.org.] 

California HIPAA Privacy Implementation Survey 

In December 2001, the Foundation commissioned the National Committee for 
Quality Assurance (NCQA) and the Georgetown University Health Privacy Project 
to survey health care organizations operating in California to see how implementa- 
tion efforts are proceeding under the HIPAA Privacy Rule. The survey was intended 
to distinguish between the real and perceived barriers to compliance and to use the 
results of the survey to inform policymakers and the public debate. 

The survey represents the views of 100 health care organizations that do business 
in California, including 29 hospitals, 19 physician groups, 26 health plans, and 26 
other organizations, such as disease management organizations, clearinghouses, 
medical management groups, behavior health care organizations and researchers. 
The organizations that took part in this survey are fairly representative of entities 
potentially affected by the Privacy Rule. Some of the organizations surveyed also op- 
erate in states other than California. 

The survey was conducted in January and February 2002, prior to the March 27, 
2002 release by Department of Health and Human Service (HHS) of the proposed 
rule modifications (NPRM). 

When reviewing the findings of the survey it is important to note that the State 
of California has a history of strong patient confidentiality laws. Health care organi- 
zations operating in California generally have more experience operationalizing pri- 
vacy protections than most of the rest of the nation. 

The Survey Findings 

The survey identified the following key findings: 

1. Planning is proceeding; implementation progress varies. 

2. The consent requirements are somewhat workable. 

3. Minimum necessary requirements are somewhat workable. 

4. Information needed for quality assessment thought to be limited by the consent 
and minimum necessary requirements. 

5. The business associate requirements are viewed as burdensome. 

6. Resources are needed to assist preemption analysis. 

7. Compliance efforts are not fully funded. 

8. There is a general need for clarifications and/or modifications. 
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1. Planning Is Proceeding; Implementation Progress Varies 

Ten months into a 2-year compliance period, when asked about specific actions 
taken toward implementation, 81 percent of respondents have developed a strategic 
plan, 67 percent indicated they have conducted a gap assessment, and 52 percent 
have started to develop and implement readiness initiatives. Twelve percent of re- 
spondents reported completion of their readiness initiatives. Hospitals report having 
made the most progress to date, with Physician Groups having made the least 
progress. (See Table 1.) Payors with a Medicaid product were less likely than Payors 
with commercial products to have developed a strategic plan (64 percent to 92 per- 
cent), conducted a gap assessment (50 percent to 92 percent), or developed a readi- 
ness initiative (29 percent to 67 percent). 

Seventy-seven percent of respondents indicated they had designated a Privacy Of- 
ficial, as defined by HIPAA. Eighty-seven percent of those that had designated a 
Privacy Official also report they had identified the human resources within their or- 
ganization needed to prepare for HIPAA compliance. Again, Payors with a Medicaid 
product were less likely (50 percent to 92 percent) than Payors with commercial 
products to have designated a Privacy Official and also less likely (63 percent to 91 
percent) to have identified the human resources needed to prepare for HIPAA. 

Organizational challenges frequently identified by respondents included imple- 
mentation, staff education, cost, time, and information technology. 

2. The Consent Requirements Are Somewhat Workable 

Overall, 51 percent of total respondents felt that the consent requirements were 
somewhat workable. Twenty-nine percent felt they were either workable (19 per- 
cent) or very workable (10 percent), while 20 percent felt they were less than work- 
able (13 percent) or not workable at all (7 percent). (See Figure 1.) 

Hospitals, Others and Physician Groups were more likely to feel the consent re- 
quirements were somewhat to very workable (90 percent, 81 percent, and 79 percent 
respectively) than Payors (68 percent). Respondents who had developed/completed a 
readiness initiative, developed a strategic plan or conducted a gap assessment were 
more likely than their counterparts to feel that the consent requirements were 
workable. 

Forty-six percent of survey respondents believe that the Privacy Rule will be use- 
ful in assuring patient confidentiality rights and achieving consistent national 
standards for confidentiality, however, 47 percent of respondents expressed concern 
about the paperwork burden. 

Although the final rule required consent to be obtained only one time, many re- 
spondents expressed confusion or concern about the practicability of tracking revoca- 
tions and limitations on consent. There was concern that as a result, some covered 
entities would require patients to sign a consent form every time they sought treat- 
ment and that patients would be overwhelmed and confused as a result. 

Many respondents expressed concern that the burden of implementing consent 
would take time and money away from patient care. Respondents also expressed 
concern that covered entities would err on the side of caution and refuse to release 
information for fear of violating HIPAA. 

All respondents were asked to indicate what they deemed useful about the con- 
sent requirements, and what areas of the consent requirements caused them con- 
cern. Regarding aspects of the consent requirements that were useful: 

• 30 percent said that the requirements were useful in assuring patient rights. 

• 16 percent felt the requirements would provide national standards and increase 
consistency among providers. 

• 16 percent said that there was nothing useful about the requirements. 

Regarding areas of concern related to the consent requirements: 

• 19 percent of respondents cited continuity of care. 

• 14 percent cited confusion about consent among patients, employees, and physi- 
cians. 

• 9 percent cited cost. 

Payors were more likely to cite confusion about consent as an area of concern. 

Respondents were asked whether available tools and technologies could be used 
to implement four areas: 1) initial consent, 2) revocations of consent, 3) limitations 
on consent, and 4) accounting of disclosures. Implementing initial consent was 
thought to be the easiest and tracking limitations to consent the most difficult. It 
should be noted that between 17 and 25 percent of respondents did not know how 
to respond and were excluded from the results. 

Physician Groups were more likely than Hospitals, Payors, and Others to feel that 
available technologies could not be used for tracking initial consent. Of those who 
did know, 53 percent of respondents felt that initial consent could definitely be 
tracked. 
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For revocations of consent, more than a quarter (28 percent) of respondents felt 
that they could not be tracked with available tools and technologies. Forty-five per- 
cent thought they could be tracked with available tools and technologies. 

Overall 37 percent of respondents thought that limitations on consent could be 
tracked, while 35 percent of respondents thought they could not be tracked with ex- 
isting tools. Only 30 percent of Hospitals and 32 percent of Payors felt that limita- 
tions on consent could be tracked with existing tools. 

Twenty-nine percent of respondents thought that accounting of disclosure could 
not be tracked with existing tools, while 43 percent thought that they could be 
tracked. Physician Groups (33 percent) and Payors (33 percent) were more likely to 
say that they could not be tracked. 

3. Minimum Necessary Requirements Are Somewhat Workable 

Overall, 58 percent of respondents felt that the minimum necessary requirements 
are somewhat workable. Twenty-three percent felt they were workable (18 percent) 
or very workable (5 percent), while 19 percent felt they were either less than work- 
able (15 percent) or not workable at all (4 percent). Physician Groups were slightly 
more likely to see the minimum necessary requirements as workable, with Payors 
and Others slightly less likely to see them as workable. As with the consent require- 
ments, respondents who had developed a readiness initiative or strategic plan or 
had conducted a gap assessment were more likely than their counterparts to feel 
that the minimum necessary requirements were workable. 

4. Information Needed For Quality Assessment Thought To Be Limited By The Con- 

sent And Minimum-Necessary Requirements 

When asked if they thought the consent requirements would enhance or limit the 
flow of information needed to assess health care quality, 58 percent of respondents 
thought that the consent requirements would somewhat limit (51 percent) or greatly 
limit (7 percent) the flow of information needed to assess quality of care. Thirty-two 
percent of respondents felt the consent requirements would have no affect on the 
flow of information, while 10 percent percent felt the consent requirements would 
enhance (9 percent) or greatly enhance (1 percent) the flow of information. Sixty- 
five percent of Hospitals and 65 percent of Others felt that the consent requirements 
would somewhat or greatly limit the flow of information, while 42 percent of Physi- 
cian Groups and 44 percent of Payors felt that the consent requirements would have 
no effect on the flow of information. 

Those respondents that felt the consent requirements would somewhat or greatly 
impact the flow of information needed to assess health care quality were asked to 
indicate in what way the consent requirements would impact assessment of health 
care quality. There were 60 open-ended responses to this question: 

• 30 percent of respondents answering the questions felt that there would be 
process complications or additional burden associated with paperwork. 

• 17 percent felt there would be confusion over requirements; 15 percent felt pa- 
tient factors, such as revoking consent, would limit the flow of information and in- 
terrupt the continuity of care. 

• 6 percent felt that there would be inadequate transfer/flow of information need- 
ed for patient assessment. 

Inadequate time was a common theme in the responses. Hospitals were more like- 
ly to cite process complications, paperwork burden, and patient factors as limiting 
the flow of information, while Payors tended to cite confusion over requirements as 
limiting the flow of information. 

With respect to the minimum necessary requirements, the findings were less 
clear. While 45 percent of respondents’ thought this requirement would greatly limit 
or somewhat limit the flow of information needed to assess the quality of health 
care, another 45 percent thought that the minimum necessary requirements would 
have no impact. Ten percent of respondents thought the requirements would some- 
what enhance (9 percent) or greatly enhance (1 percent) the flow of information. 

Physicians and Payors expressed similar concerns that the minimum necessary 
requirement would negatively affect the flow of information for payment, delivery, 
and assessment of care. It appears that the belief that quality would be affected is 
related to the fact that the consent requirements in the final rule would not permit 
providers to share Personal Health Information (PHI) with health plans for the 
plans’ quality assurance activities. 

There was generally a lack of clarity about the permissibility of disclosures for 
quality assessment purposes. Respondents did not seem to understand the per- 
mitted uses and limitations of PHI within and between covered entities. 
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5. The Business Associate Requirements Are Viewed As Burdensome 

The time and cost associated with contracting with business associates was a sig- 
nificant issue for respondents. Seventy-two percent felt there would be a substantial 
to large time burden to implement the business associate requirements; more than 
half of respondents said the cost of implementing these requirements was substan- 
tial to large. 

When asked if they believe that the regulations clearly define who constitutes a 
business associate, 65 percent of all respondents thought the regulations were clear. 
While 81 percent of Physician Groups thought the regulations were clear, only 50 
percent of Payors agreed. While most respondents likely have existing contractual 
relations, the initial burden of recontracting is believed to be high. There is also dis- 
agreement and lack of understanding about the level of oversight and due diligence 
required by covered entities over their business associates. 

6. Resources Are Needed To Assist Preemption Analysis 

Fourteen percent of respondents did not know whether they had conducted any 
preemption analysis. Of those who did know, more than half have not identified the 
laws in the states in which they do business that either are or are not preempted 
by HIPAA. When asked how they were planning to identify and track these laws, 
most respondents indicated that they hoped outside sources would develop and track 
preemption issues or that they were expending significant resources hiring outside 
legal assistance. Assistance provided by HHS with regard to preemption analyses 
would ease the burden on covered entities. 

7. Compliance Efforts Are Not Fully Funded 

With respect to funding, only 21 percent of respondents said that their compliance 
efforts were fully funded. More than half of respondents indicated that their HIPAA 
compliance efforts were only partially funded or not funded at all. When asked 
whether they think the anticipated costs of complying with the Privacy Rule will 
eventually be offset by savings expected from implementing other components of 
HIPAA (e.g., the Transaction and Code Set regulations), 31 percent to 32 percent 
of respondents said they did not know. Of those that said they did know, 48 percent 
expect no savings, 22 percent expect some savings but not within the next 5 years, 
and 26 percent expect some savings within 3 to 5 years. 

While 51 percent of respondents reported a lack of funding, it is also important 
to keep in mind that many respondents have not developed a strategy or conducted 
a gap analysis of their organizations and this may have an impact on their knowl- 
edge of the funding requirements. The survey results also indicated there is a great 
deal of money being spent on redundant legal and outside consultant analysis of the 
regulations and compliance efforts. 

8. There Is A General Need for Modifications And / Or Clarifications 

Seventy-eight percent of respondents felt that HHS needed to provide clarifica- 
tions or make modifications to the final Privacy Rule. Many responders requested 
clarifications with respect to consent, minimum necessary, the definition and rules 
concerning business associates, the rules concerning communications, marketing 
and funding, and preemption. Others wanted clarification around research rules and 
how the regulations apply to disease management organizations. 

Conclusion 

The clear message from this survey is that there is a lot of work still to be done 
to address areas of confusion, misinterpretation and to make the rules generally 
more workable. 

1. If you are a supporter of the Privacy Rule, the survey suggests it cannot be 
fully or successfully implemented, without clarifications and possible modifications. 

2. On the other hand, there is substantial evidence that progress is being made 
in implementation, so that removing key provisions of the rule does not seem justi- 
fied. 

Today, nearly 20 percent of Americans practice some form of privacy-protective 
behavior that puts their own health at risk or creates financial hardships. These be- 
haviors include: paying out-of-pocket when insured to avoid disclosure; not seeking 
care to avoid disclosure to an employer; giving inaccurate or incomplete information 
on a medical history; asking a doctor to not write down the health problem or to 
record a less serious or embarrassing condition; or, simply not seeking care at all. 

It is in everyone’s best interest to see that these rules are implemented. 

Again, thank you for this opportunity to testify today. I am happy to answer any 
questions you may have. 
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The Chairman. I see my friend Senator DeWine here and I know 
that he wanted to 

OPENING STATEMENT OF HON. MIKE DeWINE, U.S. SENATOR 
FROM THE STATE OF OHIO 

Senator DeWine. Thank you, Mr. Chairman. I am just delighted 
to welcome Dr. John Clough, who is from the Cleveland Clinic 
Foundation in my home State of Ohio. Doctor, we welcome you 
here and we look forward to your testimony. 

He will shed some light, Mr. Chairman, on really the complex- 
ities involved with the implementation of these rules and the bur- 
dens that could fall on health care institutions. He has been with 
the Cleveland Clinic for a total of nearly 35 years and is currently 
chairman of the Division of Health Affairs at the Cleveland Clinic. 
In this capacity the doctor oversees the Departments of Govern- 
ment Affairs, Community Relations, and the Ambassador’s Pro- 
gram. 

Last month he testified on the House side regarding the issue of 
medical privacy rights and has spent considerable time studying 
the impact of the proposed rules. 

Dr. Clough, we welcome you to the committee. We thank you 
very much for being here and look forward to your testimony. 

Thank you, Mr. Chairman. 

The Chairman. Thank you very much. 

Ms. Goldman. 

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH 
PRIVACY PROJECT, GEORGETOWN UNIVERSITY 

Ms. Goldman. Thank you. Thank you, Mr. Chairman and Sen- 
ator DeWine for inviting me to testify and thank you also for hold- 
ing this oversight hearing and for your commitment to privacy. 

The mission of the Health Privacy Project is also to broaden ac- 
cess to care and to ensure that people get the quality of care that 
they need, but we know that people are afraid. People are afraid 
to go to the doctor. They are afraid to be honest with their doctor. 
They are afraid to fully share with their doctor because of what 
could happen to them, and their fears are real. We hear stories 
every day and we collect these stories about how people are hurt 
in the workplace; their benefits are denied. We know that, for in- 
stance, 40 percent of all people diagnosed with multiple sclerosis 
are afraid to tell colleagues and friends because of what could hap- 
pen to them. People are afraid to get genetic tests. The number one 
barrier to people getting genetic testing and counseling is fear that 
their privacy will be violated. 

So in response to these concerns, the administration issued this 
landmark regulation in December of 2000, the privacy regulation, 
and the Bush Administration did allow it to go into effect. We real- 
ize that it has limits and weaknesses, but the truth is it is the 
most comprehensive privacy law that we have at the Federal level. 

My testimony is extensive. I want to keep it brief in my oral 
statement and I want to focus on two of the proposed modifications 
that the administration has made — in the area of consent and the 
area of marketing. And when I talk about marketing I am also 
going to mention an FDA provision. 
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Signing onto our recommendations here, the National Multiple 
Sclerosis Society has also endorsed our position, our recommenda- 
tion on consent, as has the Epilepsy Foundation, the National As- 
sociation of Social Workers Legal Action Center, and a list of other 
groups, which we have included in our testimony. 

Let me just focus on why notice is not the same as consent. The 
administration comes here today and says that asking someone to 
sign a notice — not requiring, but asking them to sign a notice is the 
same as consent. That is just not accurate. Asking someone to sign 
a consent form is a significant and meaningful moment in the proc- 
ess of getting care and the process of enrolling in a health plan. 
It is asking someone to give their permission. It is not mandating 
the consent. A doctor could decide to condition consent on giving 
certain benefits, but the regulation does not require that the con- 
sent be mandated. 

In terms of paperwork burden, we know today that many, many 
hospitals, the vast majority of hospitals, and this was included in 
the preamble to the final regulation, do require people to consent 
to have their information used for payment. Most doctors do, as 
well, and for treatment. 

State laws in this area are different from what the Federal regu- 
lation is requiring. In State laws there are specific consent provi- 
sions related to certain kinds of conditions people might have — 
maybe in the mental health area or communicable disease or abuse 
and neglect, alcoholism — where specific consent is authorized, is re- 
quired. But in the areas of treatment and payment, they are much 
more narrow than what the administration is proposing today, 
much more limited. Treatment is defined much more narrowly and 
directly related to the treatment of the individual. Most doctors 
and hospitals will tell you they have an ethical duty to seek con- 
sent of their patients before treating them and before having their 
information provided for payment. 

Marketing? I am very bewildered and disturbed by the adminis- 
tration’s testimony today on marketing. They have contended that 
they have strengthened the marketing provision. They have done 
exactly the opposite. They have expanded what is now considered 
to be marketing and now called it treatment. They have called it 
health-related communication. What used to be in this box called 
marketing, where people had an opportunity to opt out after get- 
ting a communication, where people were told that there was a fi- 
nancial conflict of interest, that is now gone from the administra- 
tion’s proposal. 

Any communication from anybody, not just a doctor, anybody, a 
pharmacy, that is health-related, no matter whether there is a fi- 
nancial conflict of interest, does not require an authorization, does 
not give an opt-out, does not require up-front consent. That is very 
disturbing. A pharmacy can now sell your information under HHS’s 
proposed modification to a drug company, to a travel agency, even 
to a tobacco advertiser under the FDA provision, and they would 
not have to get your consent and not have to give you notice. You 
have no control and there are no limits. 

I want to just focus for a moment on the cost issue. The cost 
issue comes up time and again, but the administration itself, in a 
recent report issued from the Office of Management and Budget, 
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has shown that the privacy regulation, over the long term, will 
save $12 billion in our health care system when it is implemented 
along with the other regulations in HIPAA. 

So $12 billion of savings when privacy is implemented together 
with the other transaction regulations. How can we talk about then 
wanting to save an additional $100 by eliminating consent? It 
seems to me greedy and the wrong way to go. 

I want to just conclude by saying that President Bush cam- 
paigned on a number of pledges around medical privacy. He had 
very strong position statements during the campaign. And when he 
allowed the privacy regulation to go into effect last year he said he 
believed very strongly that medical privacy should be protected and 
people should not put themselves at risk when they get care. In 
fact, in a column in the New York Times shortly after President 
Bush allowed the regulation to go into effect, William Safire 
dubbed him “the privacy President.” 

What we are concerned about today is that if HHS’s proposed 
rollbacks become law, if the consent and marketing provisions are 
weakened and if they become law, then they will legalize the most 
disturbing and unnerving practices in the health care system today 
and the kinds of practices that made consumers angry and caused 
them to send in 35,000 comments asking the administration to in- 
clude consent, asking them to limit some of the marketing activi- 
ties. Now they will become legal. 

I urge not only the administration not to roll back these provi- 
sions, but I urge the Congress to act. I know that you have strug- 
gled with this for over a decade, but to act to create a statute that 
then is not susceptible to these political back-and-forths. 

I very much appreciate being here today and I will be available 
to answer any questions. 

[The prepared statement of Ms. Janlori Goldman follows:] 

Prepared Statement of Janlori Goldman 

Committee Chairman Kennedy, Senator Gregg and Members of the Committee: 

On behalf of the Health Privacy Project, I am very appreciative for the invitation 
to testify before you today at this oversight hearing on medical privacy. The Project, 
which is part of the Institute for Health Care Research and Policy at Georgetown 
University, is dedicated to broadening access to health care, and improving the qual- 
ity of care by ensuring that the privacy of people’s medical information is protected 
in the health care arena. The Health Privacy Project also coordinates the Consumer 
Coalition for Health Privacy, comprised of over 100 major groups representing con- 
sumers, health care providers, and labor, disability rights, and disease groups. The 
Coalition’s Steering Committee includes MRP, American Nurses Association, 
Bazelon Center for Mental Health Law, National Association of People with AIDS, 
Genetic Alliance, National Multiple Sclerosis Society, and National Partnership for 
Women & Families. 

The Health Privacy Project conducts research and analysis on a wide range of 
health privacy issues. Recent Project publications include: Best Principles for Health 
Privacy (1999), which reflects the common ground achieved by a working group of 
diverse health care stakeholders; The State of Health Privacy(1999), the only com- 
prehensive compilation of State health privacy statutes, which we are currently in 
the process of updating; Implementing the Federal Health Privacy Regulation in 
California (2002); Privacy and Confidentiality in Health Research (2001), commis- 
sioned by the National Bioethics Advisory Commission; Report on the Privacy Poli- 
cies and Practices of Health Web Sites (2000), which found that the privacy policies 
and practices of 19 out of 21 sites were inadequate and misleading; “Virtually Ex- 
posed: Privacy and E-Health” (2000), published in Health Affairs; and Exposed On- 
line: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protec- 
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tion to Internet Users (2001). All of our work is available to the public at our Web 
site, www.healthprivacy.org. 

The Health Privacy Project’s mission is to foster greater public trust and con- 
fidence in the health care system, thereby enabling people to more fully participate 
in their own care and in research without putting themselves at risk for un- 
wanted — and unwarranted — intrusions. It is wrong to force people to choose be- 
tween seeking health care and safeguarding their jobs, benefits, and reputations. 
People should not have to worry when taking a genetic test for breast cancer, or 
filling a prescription for an anti-depressant, that this most sensitive health informa- 
tion will be used outside the core health care setting, but they do worry and with 
good reason. 

The new medical Privacy Rule, 1 issued by the Department of Health and Human 
Services (the Department) in December 2000 and in effect since April 2001, is a 
landmark regulation, setting in place the first comprehensive Federal safeguards for 
people’s medical records. With still a year to go before health care organizations 
must fully comply, the centerpieces of this new privacy law are in jeopardy. We ap- 
preciate the opportunity to share our concerns with this Committee about the Bush 
Administration’s proposal to substantially weaken the medical Privacy Rule. We ex- 
press particular concern about the Department’s proposal to eliminate the patient 
consent requirement, and to severely weaken the limits on the marketing of people’s 
medical records. Joining with us in opposition to these two proposed changes, are 
the following organizations: 

• AIDS Action Council 

• American Association for Geriatric Psychiatry 

• American Counseling Association 

• American Mental Health Counselors Association 

• American Nurses Association 

• American Psychoanalytic Association 

• Bazelon Center for Mental Health Law 

• Consumers Union 

• CWA Local 1 168 Nurses United 

• Electronic Privacy Information Center 

• Family Violence Prevention Fund 

• Genetic Alliance 

• Hadassah 

• National Association of People With AIDS 

• National Mental Health Association 

• National Organization for Rare Disorders 

• NYC Chapter, National Association of Social Workers 

• Title II Community AIDS Action Network 

• Westchester Progressive Forum 

We expect that many other organizations and individuals will voice their opposi- 
tion to these proposals before the comment period closes. 

Our testimony today will summarize both our concerns with and support for the 
Department’s proposed modifications to the Privacy Rule. Our statement also in- 
cludes a brief history of the Privacy Rule, and the urgent need within the public 
and the health care system for strong, enforceable medical privacy safeguards. In 
addition, we correct the misperception that the long-term cost of implementing the 
Privacy Rule — along with its companion HIPAA standards — will outweigh the bene- 
fits. In fact, the Office of Management and Budget (OMB) released a report last 
month documenting that protecting privacy, when done hand-in-hand with the relat- 
ed HIPM rules, will actually result in substantial cost savings. 

I. URGENT PUBLIC NEED FOR MEDICAL PRIVACY 

The lack of a national health privacy law has had a negative impact on health 
care, both on an individual as well as a community level. One out of every six people 
withdraws from full participation in their own care out of fear that their medical 
information will be used without their knowledge or permission, as documented by 
a 1999 survey conducted for the California HealthCare Foundation. (Available at 
www.chcf.org.) These privacy-protective behaviors include patients providing inac- 
curate or incomplete information to doctors, doctors inaccurately coding files or leav- 
ing certain things out of a patient’s record, people paying out of pocket to avoid a 
claim being submitted, or in the worst cases, people avoiding care altogether. 


1 The Privacy Rule is contained in title 45 of the Code of Federal Regulations. All citations 
in this testimony are to the pertinent section of, or proposed amendment to, 45 C.F.R. unless 
otherwise noted. 
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More specifically, a 1997 survey documenting people’s fears about genetic dis- 
crimination showed that 63 percent of people would not take genetic tests if health 
insurers or employers could obtain the results. (Genetic Information and the Work- 
place, issued on January 20, 1998 by the U.S. Departments of Labor, Health and 
Human Services, and Justice, and the U.S. Equal Employment Opportunity Com- 
mission). And, a recent study involving genetic counselors documents that fear of 
discrimination is a significant factor affecting willingness to undergo testing and to 
seek reimbursement from health insurers. (Hall, Mark A. and Stephen S. Rich, Ge- 
netic Privacy Laws and Patients’ Fear of Discrimination by Health Insurers: The 
View from Genetic Counselors, 28 Journal of Law, Medicine & Ethics 245-57 
( 2000 ).) 

An April 2001 Harris survey documents that nearly four out of ten (40 percent) 
people with multiple sclerosis said they have lied or failed to disclose their diagnosis 
to colleagues, co-workers, friends or even family members out of fear of job loss and 
stigma. 

These survey figures come to life in the daily media reports of people being 
harmed by the use of their health information outside the core health care arena. 
To highlight just a few: 

• Eckerd’s Drug Stores in Florida is being investigated by the State Attorney 
General for its marketing practices. When Eckerd customers pick up their prescrip- 
tions, they sign a log indicating they do not want counseling from a pharmacist. 
Eckerd’s has been using that signature as an authorization to use the customer’s 
prescription drug records for mailing promotions and discounts financed by drug 
companies. 

• Terri Seargent, a North Carolina resident, was fired from her job after being 
diagnosed with a genetic disorder that required expensive treatment. Three weeks 
before being fired, Terri was given a positive review and a raise. As such, she sus- 
pected that her employer, who is self-insured, found out about her condition, and 
fired her to avoid the projected expenses. 

• The medical records of an Illinois woman were posted on the Internet without 
her knowledge or consent a few days after she was treated at St. Elizabeth’s Medi- 
cal Center following complications from an abortion at the Hope Clinic for Women. 
The woman has sued the hospital, alleging St. Elizabeth’s released her medical 
records without her authorization to anti-abortion activists, who then posted the 
records online along with a photograph they had taken of her being transferred from 
the clinic to the hospital. The woman is also suing the anti-abortion activists for in- 
vading her privacy. 

• Several thousand patient records at the University of Michigan Medical Center 
inadvertently lingered on public Internet sites for 2 months. The problem was dis- 
covered when a student searching for information about a doctor was linked to files 
containing private patient records with numbers, job status, treatment for medical 
conditions and other data. 

• Joan Kelly, an employee of Motorola, was automatically enrolled in a “depres- 
sion program” by her employer after her prescription drugs management company 
reported that she was taking anti-depressants. 

• Eli Lilly and Co. inadvertently revealed 600 patient e-mail addresses when it 
sent a message to every individual registered to receive reminders about taking 
Prozac. In the past, the e-mail messages were addressed to individuals. The mes- 
sage announcing the end of the reminder service, however, was addressed to all of 
the participants. 

• A few months ago, a hacker downloaded medical records, health information, 
and social security numbers on more than 5,000 patients at the University of Wash- 
ington Medical Center. The University conceded that its privacy and security safe- 
guards were not adequate. 

In the absence of a Federal health privacy law, these people suffered job loss, loss 
of dignity, discrimination, and stigma. Had they acted on their fears and withdrawn 
from full participation in their own care — as many people do to protect their pri- 
vacy — they would have put themselves at risk for undiagnosed and untreated condi- 
tions. In the absence of a law, people have faced the untenable choice of shielding 
themselves from unwanted exposure or sharing openly with their health care pro- 
viders. 


II. THE GENESIS OF THE PRIVACY RULE 

The current Federal health Privacy Rule is a major victory for all health care con- 
sumers, and takes a significant step toward restoring public trust and confidence 
in our nation’s health care system. The regulation promises to fill the most troubling 
gap in Federal privacy law, setting in place an essential framework and baseline 
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on which to build. Each one of us stands to benefit from the Privacy Rule in critical 
ways, including greater participation in the health care system, improved diagnosis 
and treatment, more reliable data for research and outcomes analysis, and greater 
uniformity and certainty for health care institutions as they develop privacy safe- 
guards and modernize their information systems. 

Most notably, the current Privacy Rule grants people the right to see and copy 
their own medical records; requires health care providers to obtain patient consent 
before using their records for treatment, payment and health care operations; im- 
poses limits on using medical records for marketing; imposes safeguards on publicly 
and privately funded research use of patient data; somewhat limits law enforcement 
access to medical 4 records; and allows for civil and criminal penalties to be imposed 
if the Rule is violated. 

The Privacy Rule was issued by the Department in December 2000 in response 
to a mandate from Congress included in the 1996 Health Insurance Portability and 
Accountability Act (HIPAA), which required that if Congress did not enact a medical 
privacy statute by August 1999, then the Department was required to promulgate 
regulations. This rule has been the subject of a lengthy, thorough, and robust rule- 
making process — both before and since its December 2000 release in final form. 

Despite intense pressure from some in the health care industry, the Bush Admin- 
istration allowed this important regulation to go into effect in April 2001. The first 
implementation guidance issued by the Department on July 6, 2001, addresses the 
many misstatements and exaggerations that some in the industry have been spread- 
ing about the Privacy Rule. On its face, the guidance was aimed at calming industry 
fears, and we hoped it would lead to greater acceptance of the regulation and foster 
compliance with the regulation. The guidance also indicated the changes the De- 
partment intended to propose to make to the regulation. 

We acknowledge that the Privacy Rule — as finalized — has serious gaps and weak- 
nesses, some of which can only be remedied by Congress, and some of which are 
within the Department’s authority to regulate. One shortcoming is that the rule 
only directly regulates providers, plans and clearinghouses, and does not directly 
regulate employers, pharmaceutical companies, workers’ compensation insurers, and 
many researchers. The rule also lacks a private right of action that would give peo- 
ple the right to sue if their privacy was violated. Under HIPAA, only Congress and 
the states are empowered to address these limits. However, where the Department 
does have the power to strengthen the Rule, it has chosen instead to dilute it. 

III. SUMMARY OF THE HEALTH PRIVACY PROJECT’S COMMENTS ON THE DEPARTMENT’S 
PROPOSED MODIFICATIONS TO CONSENT AND MARKETING 

A. Consent for Treatment, Payment, and Health Care Operations — Sec. 

164.506 

Proposed Modification: 

The Department proposes to eliminate the requirement that health care providers 
obtain an individual’s consent prior to using or disclosing protected health informa- 
tion for treatment, payment, and health care operations. 

Health Privacy Project Recommendation: 

The Health Privacy Project recommends that the Department retain the Privacy 
Rule’s prior consent requirement, and make targeted modifications to address the 
unintended consequences that result from the consent requirement in some cir- 
cumstances. 

Rationale: 

The Privacy Rule requires that health care providers obtain an individual’s con- 
sent prior to using or disclosing protected health information for treatment, pay- 
ment, and health care operations. At the core of the Department’s proposed modi- 
fications to the Privacy Rule is the elimination of this prior consent requirement. 
In its place, the Department substitutes a requirement that direct treatment provid- 
ers make a “good faith effort” to obtain the individual’s written acknowledgment 
that he or she received the provider’s privacy notice. (Section 164.520 of the Privacy 
Rule requires covered entities to provide this notice of privacy practices.) This pro- 
posal to eliminate the consent requirement strikes at the very heart of the Privacy 
Rule and takes away a core privacy protection for consumers. The Privacy Rule’s 
consent requirement is intended to bolster patient trust and confidence in providers 
and in health care organizations by respecting the patient’s central role in making 
health care decisions. The Department’s proposal to eliminate the consent require- 
ment represents a huge step backwards for consumers — and one that will under- 
mine trust in the health care system. 
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This debate is about much more than the label on the piece of paper that a pa- 
tient signs, or about whether a patient is given two pieces of paper (a notice and 
consent form) or just one (a notice). There are fundamental differences between a 
consent process and acknowledgement of a receipt of a notice. Seeking advance per- 
mission from a patient before using or disclosing health information acknowledges 
first and foremost that it is the patient’s decision whether to entrust others with 
his or her private medical information and under what circumstances. The Privacy 
Rule’s consent requirement gives individuals some control over how their health in- 
formation is used and disclosed. Patients would certainly have more control if con- 
sent could be withheld without the provider refusing to provide treatment. However, 
it is by no means clear that providers will withhold treatment even though per- 
mitted to do so, particularly when the individual consents to some uses/disclosures 
(treatment and payment uses/disclosures), but withholds consent for others (some 
of the relatively vast number of “health care operations” permitted by the Privacy 
Rule). It is clear that without a prior consent requirement, patients will have no 
control over how their health care information is used or disclosed beyond the right 
to request a restriction. Asking an individual to acknowledge receiving a privacy no- 
tice reinforces that the individual patient has absolutely no say in the matter. 

The Privacy Rule’s consent requirement is the best way to ensure that patients 
actually know how their health care information will be used or disclosed and know 
what their privacy rights are. The process of obtaining consent defines an “initial 
moment” — as the Department acknowledges — in which patients can raise questions 
about privacy concerns and learn more about options available to them. Patients are 
more likely to read the notice, or at least ask questions about how their information 
will be used or disclosed, when they are being asked to give their consent. Asking 
a patient to acknowledge receipt of a notice does not provide a comparable “initial 
moment” — especially when the individual is only asked to acknowledge receipt of a 
piece of paper, not whether they have read the paper or understood it or have ques- 
tions about it. 

From a practical perspective, the consent form required in the Privacy Rule fo- 
cuses attention on a new right that is central to the consent process — the right to 
request a restriction. By all accounts, the consent form is much shorter than the 
notice of privacy practices. Thus, information that is repeated in the relatively short 
consent form will be highlighted for patients. The Privacy Rule requires the consent 
form to State that the individual has the right to request a restriction. See 
§ 164.506(c)(4)(i). Including this information in the consent form, as well as in the 
notice, makes it even more likely that patients will be aware of this important right. 

That the Department has chosen radical surgery — total elimination of the consent 
requirement — when much more targeted, privacy-protective interventions would 
have sufficed is especially troublesome. 

The Department not only proposes to eliminate the consent requirement, it also 
proposes to delete several provisions that apply when providers or plans choose to 
require consent. The Privacy Rule includes various provisions that govern the con- 
tent of the consent form (e.g., it must State that the individual has the right to re- 
view the privacy notice before signing the consent form) and the right to revoke. See 
§ 164.506(b) and (c). 

Under the Privacy Rule, these provisions apply when consent is required and 
when it is optional. The Department proposes to delete all of these provisions in 
order to “enhance the flexibility of the consent process for those covered entities that 
choose to obtain consent.” See 67 Fed. Reg. 14780. In addition, the Department pro- 
poses to delete provisions governing conflicting consents and authorizations; under 
the Privacy Rule, covered entities must follow the most restrictive. See § 164.506(e). 
The Department also proposes to delete the provisions that govern joint consents 
by organized health care arrangements. See § 164.506(f). By eliminating all of these 
provisions, the Department takes away important safeguards that should, at the 
very least, apply when consent is obtained voluntarily. 

B. Marketing — Secs. 164.501 and 164.508(a)(3) 

Proposed Modifications: 

The Department proposes to reduce the Privacy Rule’s privacy protections that 
apply to communications that many consumers consider to be “marketing.” Under 
the Privacy Rule, a covered entity that is paid by a third party to encourage pa- 
tients to purchase or use a product or service that is health related must adhere 
to certain conditions. In its first communication, the covered entity must give the 
patient an opportunity to refuse further marketing materials. The covered entity 
must inform the patient that it is receiving remuneration for making the commu- 
nication. Additionally, the marketing materials must identify the covered entity as 
the party making the communication. The Department proposes to eliminate these 
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requirements by removing from the definition of “marketing” all communications 
that encourage patients to purchase or use products or services that are health re- 
lated, including communications that a covered entity is paid to make. 

The Department does propose to retain the Privacy Rule’s requirement that a cov- 
ered entity obtain an individual’s authorization prior to using or disclosing health 
information for “marketing.” However, because the Department proposes to contract 
the definition of “marketing,” the prior authorization requirement will apply only to 
a narrow range of communications — those that encourage the purchase or use of a 
product or service that is not health related. The prior authorization requirement 
will not apply to communications that encourage the use or purchase of a health 
related product or service because such communications are excluded from the defi- 
nition of marketing, even if the covered entity is paid to make the communication. 
The net effect of these proposed changes is to substantially weaken the Privacy 
Rule. 

Health Privacy Project Recommendations: 

The Health Privacy Project recommends that the Department: 

• Revise the definition of “marketing” to include communications encouraging the 
purchase or use of a health-related product or service where a covered entity re- 
ceives direct or indirect remuneration from a third party for making the communica- 
tion. 

• Revise the Privacy Rule so that a covered entity must obtain an individual’s au- 
thorization prior to using or disclosing protected health information for all market- 
ing purposes, including communications encouraging the purchase or use of health 
related products or services where the covered entity has received or will receive di- 
rect or indirect remuneration for making the communication. 

• Retain the requirement that the authorization notify the individual if the mar- 
keting is intended to result in remuneration to the covered entity from a third 
party. 

• Further modify the provisions to require that an authorization for marketing 
specify w whether the protected health information is to be used or disclosed for the 
marketing of health care related services or products or for products and services 
not related to health care. 

Rationale: 

The Privacy Rule classifies communications that encourage patients to purchase 
or use products and services in three categories: 1) Communications that are clearly 
treatment oriented and for which the covered entity does not receive remuneration 
from a third party (such as a doctor recommending a particular medicine to a pa- 
tient because it is medically indicated); 2) Communications that are related to 
health but are at least partially financially motivated (such as a pharmacy being 
paid by a drug company to send a patient a letter encouraging her to switch her 
medication to the drug company’s brand; and 3) communications that are clearly 
marketing because they do not relate to health (such as sending vacation advertise- 
ments.) See Appendix A at 1. Because the first category of communications is clearly 
treatment related, there is no requirement for prior authorization to use health in- 
formation to make these communications. At the opposite end of the continuum, be- 
cause the covered entity is being paid to use health information to market a product 
or service that is totally unrelated to health, the covered entity must obtain pa- 
tients’ prior authorization before it can use their health information for these mar- 
keting purposes. The treatment of these two categories of health information re- 
mains relatively unchanged under the proposed modifications to the Privacy Rule. 
See Appendix A at 2. 

With respect to the second category of communications, those that encourage the 
use or purchase of a health related product or service and for which the covered en- 
tity receives remuneration, the Department initially recognized that covered entities 
face a financial conflict of interest when they are paid to recommend a certain 
health related product or service. In light of these conflicts, the current Privacy Rule 
treats these communications as “marketing.” The Privacy Rule permits health infor- 
mation to be used without the patient’s prior authorization in these circumstances 
only if certain conditions are met. The patient must be given an opportunity to opt 
out of receiving further communications. Additionally, the patient must be notified 
that the covered entity is the source of the communication and is being paid to 
make the recommendation. See Appendix A at 1. 

Many consumers believe that the Privacy Rule’s delayed opt-out approach is insuf- 
ficient to protect privacy. They have urged the Department to modify the rule to 
require that covered entities obtain patient authorization prior to engaging in this 
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type marketing activity (i.e., where the covered entity is paid to encourage the use 
or purchase of a health related product or service). 

In response to these concerns, the Department essentially proposes to eliminate 
the protections (albeit inadequate) that currently exist. The Department accom- 
plishes this by removing paid communications that encourage the use or purchase 
of a health related product or service entirely from the definition of “marketing.” 
This proposed change effectively allows covered entities to make this type of paid 
communication without any prior authorization or chance to opt out. 2 See Appendix 
A at 2. 

We oppose this change on a number of grounds. First, we believe that the deter- 
mination whether prior authorization for a communication is required should not 
rest on whether a communication is in some way related to health . The proposed 
exclusion of “health related” communications from the definition of “marketing” is 
extremely broad. It is hard to conceive of a communication that remotely relates to 
health that would be considered to be “marketing.” Many activities that health care 
consumers would consider marketing and find objectionable would be excluded from 
the definition of marketing under this proposal. 

For example, the proposed definition of marketing excludes “a communication 
made to an individual. . . to direct or recommend alternative treatments, therapies, 
health care providers, or settings of care.” (See § 164.501 (defining “marketing”).) 
Under this exception, a pharmacy can be paid by a drug company to identify and 
select patients based on their health information to send them material encouraging 
them to switch their prescriptions to the drug companys particular brand of medi- 
cine. This “recommendation of alternative treatment” is primarily motivated by prof- 
it and has little to do with what is medically best for the patient. Many patients 
believe that this financially motivated use of their health information is a violation 
of their privacy. 3 

Second, because recommending any health related product or service is not con- 
sidered to be “marketing” there is no requirement that the consumer be informed 
that the covered entity is receiving remuneration from a third party to make these 
recommendations. In the above example, patients could receive materials from their 
pharmacy suggesting that they change their medicine to a different brand without 
ever being informed that the pharmacy was paid to make the recommendation. This 
approach encourages providers to engage in practices that are ridden with financial 
conflicts of interest. 4 

Third, the proposed modification eliminates any control that an individual may 
have over the use of his protected health information for receiving this type of rec- 
ommendation. Because these communications are not “marketing” there is no re- 
quirement that the covered entity obtain prior authorization to use the information 
in this manner. Furthermore, there is no mechanism by which an individual can 
remove his or her name from the covered entity’s mailing list for these “rec- 
ommendations.” This approach does not respect health care consumers and leaves 
them powerless. 

Expanding the definition of marketing can cure these faults. We believe that mar- 
keting should include communications about a product or service to encourage re- 
cipients of the communication to purchase or use the product or service where the 
covered entity receives direct or indirect remuneration for making the communica- 
tion. We would apply this standard to both health related and non-health related 
communications. Using this definition presents a rather bright line test. If a covered 
entity receives payment for a communication, the communication is marketing. 

In conjunction with this recommendation, we urge the Department to retain the 
proposed modification that would require covered entities to obtain an individual’s 
authorization prior to using his or her health information for these marketing pur- 
poses. Health care consumers should have control over whether their health infor- 
mation is used for profit-making purposes that are only tangentially related to their 
health. 


2 The Department’s explanation that it is proposing to “explicitly require covered entities to 
first obtain the individual’s specific authorization before sending them any marketing materials” 
“based on consumer concerns that the marketing provisions in the current rule does not protect 
individuals’ privacy” is disingenuous at best, given that they accomplish this by removing an 
entire category of communications from the definition of "marketing.” See Department’s Press 
Release, March 21, 2002. 

3 See e.g., Robert O’Harrow, Jr., Prescription Fear, Privacy Sales The Washington Post, Feb- 
ruary 15, 1998 at Al; Henry 1. Davis, “More Eckerd Questions,” St. Petersburg Times, March 
5, 2002 at IE. 

4 See Bernard Lo, M.D. and Ann Alpers, M.D., Uses and Abuses of Prescription Drug Informa- 
tion in Pharmacy Benefits Management Programs, 283 JAMA 801 at 809 (February 9, 2000). 
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Appointment Reminders and Prescription Refill Notices 

A number of concerns have been raised about communications, such as appoint- 
ment reminders and prescription refill notices, that may potentially fall in the gray 
area of what should be considered to be marketing. We would expect that the vast 
majority of covered entities do not receive remuneration for sending their patients 
appointment reminders. Therefore, this type of communication would not be market- 
ing. Likewise, where a pharmacy on its own volition sends a prescription refill no- 
tice or advises a patient of a potential adverse drug reaction and suggests an alter- 
native it would not be marketing. However, where a pharmacy receives payment for 
encouraging patients to refill prescriptions or switch medicine brands, the commu- 
nication would be marketing. 

We recognize that at times this definition may encompass some communications 
that provide useful information to health care consumers. However, if a covered en- 
tity is receiving payment from a third party for making the communication, it is 
pursuing activity that is at least partially in its self-interest, as opposed to the in- 
terest of the patient. In such a circumstance, the individual should be informed in 
advance that the covered entity receives remuneration for its communications and 
should have control over whether his or her health information is used in this man- 
ner. 


IV. SUMMARY OF HEALTH PRIVACY PROJECT COMMENTS ON OTHER PROPOSED 

MODIFICATIONS 

1. Hybrid Entities — Sec. 164.504 

Proposed Modification: 

The Department proposes to modify the hybrid entity provisions in order to allow 
any covered entity that performs a mixture of covered and non-covered functions to 
have the option of being designated a hybrid entity or having the entire organiza- 
tion treated as a covered entity. Additionally, the Department would require that 
a covered entity that elects hybrid status include in its designated health care com- 
ponents) any component that would meet the definition of covered entity if it were 
a separate legal entity. 

The modifications would permit, but not require, the hybrid entity to designate 
a component that performs: (1) covered functions; and (2) activities that would make 
such a component a business associate of a component that performs covered func- 
tions if the two components were separate legal entities. 

Health Privacy Project Recommendations: 

• Reject the proposal that any covered entity can elect to be a hybrid entity, and 
require those covered entities whose primary functions are not covered functions to 
be hybrid entities and to erect firewalls between their health care components and 
other components. Permit (as conditioned below) covered entities whose primary 
functions are health care to be hybrid entities. 

• Modify the implementation specifications of the proposed modified hybrid provi- 
sions to require that, at a minimum, a hybrid entity must designate a component 
that performs covered functions as a health care component. 

• Clarify that a health care provider (including a component of a hybrid entity 
that provides health care) cannot avoid being deemed a “covered entity” if it relies 
on a third party to conduct its standard electronic transactions. Clarify that with 
respect to hybrid entities, a health care provider cannot avoid having its treatment 
component considered a health care component by relying on a billing department 
to conduct its standard electronic transactions. 

2. Disclosures of Protected Health Information Related to FDA-regulated 

Products or Activities — Sec. 164.512(b) 

Proposed Modifications: 

The Department proposes to create an extremely broad exception to the general 
requirement to obtain authorization prior to the disclosure of protected health infor- 
mation. The proposed modification would allow disclosures of protected health infor- 
mation to private entities as part of any data-gathering activity that can be termed 
“related to the quality, safety, or effectiveness of such FDA-regulated product or ac- 
tivity.” Under this proposed modification, disclosures would no longer be required 
by, or at the direction of, the FDA. 

HPP Recommendations: 

The Health Privacy Project strongly opposes the Department’s proposal and urges 
the Department to retain the current provisions of the Privacy Rule. The Privacy 
Rule provides a specific series of public health related exceptions to the authoriza- 
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tion requirement. The proposed modifications, however, would create a vague and 
general standard, under the rubric of “public health,” that would open the door to 
the release of protected health information to pharmaceutical companies and argu- 
ably to tobacco companies as well. We do not see a genuine public health need that 
justifies such a significant expansion in the Privacy Rule. 

3. De-Identification — Sec. 164.514 

Proposed Modification: 

The Department is not proposing any substantive modifications to the de-identi- 
fication provisions of the Privacy Rule at this time, but is considering the creation 
of a limited data set that would not include ’’facially identifiable health information. 
This data set would be available for research, public health, and health care oper- 
ations purposes presumably without authorization. In addition, the Department is 
considering the requirement that covered entities obtain data use or similar agree- 
ments from recipients that limit the use and disclosure of the data set and prohibit 
the recipients from re-identifying or contacting individuals. 

Health Privacy Project Recommendations: 

The Health Privacy Project supports the Department’s decision to maintain the 
de-identification provisions. Before proposing an approach for the use or disclosure 
of a limited data set, the Department must carefully consider what identifiers can 
safely be included and the adequacy of privacy protections for the data set. We have 
specific concerns about the ease with which identifiable information that does not 
include direct identifiers can be combined with other data to directly identify an in- 
dividual, as well as concerns about the enforceability of data use agreements. 

4. Research— Secs. 164.512(i), 164.508(0, 164.508(c)(1), 164.532 

Proposed Modifications: 
he Department proposes to: 

(1) modify the waiver of authorization provisions. 

(2) clarify that the Privacy Rule’s provisions for IRBs and privacy boards would 
encompass a partial waiver of authorization for purposes of recruiting research par- 
ticipants. 

(3) maintain an individual’s right to revoke an authorization. 

(4) permit research authorizations to be combined with other legal permission to 
participate in a research study. 

(5) permit an authorization to use or disclose protected health information for the 
creation and maintenance of a research data base without an expiration date or 
event, but limit it to the purpose of creating or maintaining that data base. 

(6) permit the use of individually identifiable health information after the compli- 
ance date for research protocols that received a waiver of authorization from an IRB 
prior to the compliance date. 

Health Privacy Project Recommendations: 

The Health Privacy Project: 

(1) is pleased that research protocols will still be required to meet waiver criteria 
that are more narrowly focused on the privacy interests of the research participants. 

(2) is pleased that the Department is not proposing modifications to the provisions 
on reviews preparatory to research so that researchers could remove protected 
health information from a covered entity’s premises for recruitment purposes. 

(3) commends the Department for retaining an individual’s right to revoke a re- 
search authorization, but recommends further guidance on how to implement the 
revocation requirement. 

(4) urges the Department not to permit research authorizations to be combined 
with an informed consent to participate in a study. 

(5) strongly agrees with the Department that the expiration date exception for the 
creation and maintenance of data bases should not be extended to authorizations 
for further research or any other purpose. 

(6) recommends that a research study that receives a waiver of authorization from 
an IRB prior to the compliance date, but begins after the compliance date, be re- 
evaluated to ensure that adequate privacy protections are in place. 

5. Individual Authorization — Sec. 164.508 

Proposed Modifications: 

The Department proposes to: 

(1) streamline the authorization process by consolidating the different authoriza- 
tions in the Privacy Rule under a single set of criteria and removing some core ele- 
ments from the authorization requirement. 
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(2) tighten provisions on the use and disclosure of psychotherapy notes so that 
psychotherapy notes cannot be used or disclosed without individual authorization 
for another entity’s treatment, payment, and health care operations purposes. 

(3) add clarifying language so that an individual who initiates an authorization 
would not be required to reveal the purpose of his or her request. 

(4) maintain the individual’s right to revoke an authorization. 

Health Privacy Project Recommendation: 

The Health Privacy Project applauds the Department’s proposal under numbers 
(2), (3) and (4) above. However, while we support the Department’s effort to simplify 
the authorization provisions, we strongly urge the Department to: (a) retain the core 
elements required for research authorizations involving treatment of an individual 
under the Privacy Rule; (b) require remuneration disclosures in all authorizations, 
not only in authorizations for marketing; and (c) retain the plain language require- 
ment as a core element of a valid authorization. It is critical that an individual 
knows how his or her information will and will not be used or disclosed so that s/ 
he can make an informed decision about giving authorization. Furthermore, any re- 
quest 11 for individual authorization to use or disclose information must be commu- 
nicated in a manner that can be understood by the average reader so that people 
know what they are authorizing. 

6. Accounting of Disclosures — Sec. 164.528 

Proposed Modification: 

The Department proposes to expand the list of exceptions to the accounting of dis- 
closures requirement so that it no longer requires covered entities to account for any 
disclosures made pursuant to an individual authorization. 

Health Privacy Project Recommendation: 

The Health Privacy Project opposes the Department’s proposal and urges the De- 
partment to retain the requirement that disclosures of protected health information 
made pursuant to an authorization be included in an accounting of disclosures. Re- 
moving authorized disclosures from the accounting takes away the individual’s 
means of verifying that his or her information was disclosed as specified in the au- 
thorization. Such a modification would also hinder an individual’s ability to detect 
authorizations that have been fraudulently submitted or altered. 

7. Balancing the Rights of Minors and Parents — Sec. 164.502(91(3) 

Proposed Modification: 

The Department proposes to modify the Privacy Rule’s approach to balancing the 
rights of minors and parents by permitting covered entities to decide when to dis- 
close protected health information about a minor to a parent in cases where State 
or other applicable law is silent or unclear. 

Health Privacy Project Recommendations: 

The Health Privacy Project opposes the proposed modifications because they 
would deter minors from obtaining critical health services, such as mental health 
care, substance abuse treatment, and testing and treatment for sexually transmitted 
diseases. We recommend that the Department retain the approach in the current 
Privacy Rule, except its approach to non-preemption of State laws that are less pro- 
tective of a minor’s privacy. Specifically, we recommend that the Department apply 
the same preemption rules to State laws pertaining to minors and disclosures to 
parents that the Department applies to other State laws, as HIPAA requires. 

8. Disclosures for Treatment, Payment, or Health Care Operations of An- 

other Entity — Proposed Sec. 164.506(c) 

Proposed Modification: 

The Department proposes several modifications to clarify how covered entities 
may use or disclose protected health information for treatment, payment, or health 
care operations, and to permit covered entities to disclose protected health informa- 
tion to other entities (including non-covered entities) for the second entity’s treat- 
ment, payment, or health care operations activities. 

Health Privacy Project Recommendation: 

Most troubling is the Department’s proposal to permit covered entities to disclose 
protected health information to other covered entities for the recipient’s health care 
operations. This constitutes a significant alteration of the structure of the Privacy 
Rule, and the Department is proposing it without adequate justification. The Health 
Privacy Project recommends that the Department reconsider the necessity for such 
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a change and assess whether the concept of “organized health care arrangement,” 
which already is part of the Privacy Rule, addresses the quality assurance issues 
raised in the preamble. If the Department pursues modifications along these lines, 
the Department should craft narrow language that addresses actual problems — and 
only the problems identified in the preamble. 

9. Definition of Protected Health Information and Proposed Exclusion of 

“Employment Records” — Sec. 164.501 

Proposed Modification: 

The Department proposes to amend the definition of “protected health informa- 
tion” in section 164.501 to explicitly exclude “employment records,” referred to in 
the preamble as “individually identifiable health information . . . held by a covered 
entity in its role as employer.” 67 Fed. Reg. 14804. 

Health Privacy Project Recommendation: 

The Health Privacy Project opposes this proposal because it threatens to under- 
mine important safeguards in the Privacy Rule. The plain language of the proposed 
text appears to move outside of the Privacy Rule any use or disclosure of employees’ 
health plan records, as well as information shared with an employer’s on-site clinic 
where that clinic is a covered provider under the current Privacy Rule. Thus, 
through a sweeping “technical correction” in the applicable definition, this proposal 
takes health information that is protected by the Privacy Rule and renders it unpro- 
tected. This is especially dangerous because of the legitimate concern people have 
that employers will use protected health information, including genetic information, 
inappropriately to make employment-related decisions (such as deciding which em- 
ployees to promote or fire). 

10. Disclosure of Enrollment and Disenrollment Information to Sponsors of 

Group Health Plans — Proposed Sec. 164.504(f)(l)(iii) 

Proposed Modification: 

The Department proposes to permit group health plans (as well as HMOs and 
issuers) to disclose to the sponsor of the group health plan (usually an employer) 
information on whether an individual is participating in the group health plan (or 
is enrolled in, or has disenrolled from, the HMO or issuer). 

Health Privacy Project Recommendation: 

The Health Privacy Project supports this proposed modification because it is lim- 
ited to information about whether the individual is participating in or enrolled in 
the plan and does not permit the disclosure of any other protected health informa- 
tion. 

11. Minimum Necessary and Oral Communications — Secs. 164.502(a) and 

§ 164.530(c) 

Proposed Modification: 

The Department proposes to: 

• modify the Privacy Rule to add a new provision which would explicitly permit 
certain “incidental” uses and disclosures that occur as a result of an otherwise per- 
mitted use or disclosure under the Privacy Rule; and 

• modify the administrative requirements to expressly require covered entities to 
reasonably safeguard protected health information to limit incidental uses or disclo- 
sures made pursuant to an otherwise permitted or required use or disclosure. 

Health Privacy Project Recommendation: 

The Health Privacy Project does not believe a modification expressly permitting 
incidental uses is necessary, but understands that the Department wishes to calm 
the fears of some of those in the health care industry. We commend the Department 
for including a related modification that expressly requires covered entities to rea- 
sonably safeguard protected health information to limit incidental uses or disclo- 
sures made pursuant to an otherwise permitted or required use or disclosure. 

12. Business Associate Transition Provisions — Sec.164.532 (d) & (e) 

Proposed Modification: 

The Department proposes new transition provisions to allow most covered entities 
to continue to operate under certain existing business contracts with business asso- 
ciates for up to 1 year beyond the current compliance date for the Privacy Rule. 
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Health Privacy Project Recommendation: 

The Health Privacy Project recommends that the Department retain the existing 
compliance date for all aspects of the Privacy Rule. The Department has provided 
covered entities with a model business associate contract which should ease compli- 
ance efforts. 

V. COST: OMB REPORTS PRIVACY REGULATION WILL SAVE MONEY 

According to a March 2002 report just issued by OMB’s Office of Information and 
Regulatory Affairs (OIRA), the Department estimates that the cost associated with 
implementing the Privacy Rule (approximately $17 billion over 10 years) will be 
greatly offset by the cost savings associated with implementing HIPAA’s trans- 
actions standards (approximately $29 billion saved over 10 years). See Appendix B 
for excerpt of report. The cost of implementing the Privacy Rule must not be viewed 
in isolation. The Privacy Rule is an integral — and necessary — part of a package of 
Administrative Simplification rules. The goal of standardizing electronic health care 
transactions is to create efficiencies and save money. When the Privacy Rule is im- 
plemented together with the transactions standards and other Administrative Sim- 
plification rules, as contemplated by Congress, a net savings will be achieved. Fi- 
nally, we must also acknowledge the benefits reaped by increased patient participa- 
tion in health care and research, as well as the qualitative benefits that are 
achieved by furthering this important societal value. 

CONCLUSION 

When President Bush allowed the Privacy Rule to go into effect last April, he 
issued a strong statement about the need to protect patient privacy and foster con- 
fidence that people’s “personal medical records will remain private.” The President 
also pledged during his campaign to support a law requiring that a “company can- 
not use my information without my permission to do so, ’’and expressed support for 
strong laws protecting medical and genetic privacy. In fact, William Satire dubbed 
him the “privacy President” in a New York Times column shortly after the Privacy 
Rule went into effect. But, if the Department’s proposed changes become final, the 
Privacy Rule will legalize many of the practices that caused public outcry for a law. 
We urge the Bush Administration not to roll back the important gains our country 
has made in protecting the privacy of people’s medical records. We urge policy- 
makers to look at the substantial progress being made by doctors, hospitals, and 
health plans in complying with the Rule. And finally, we urge that glitches in the 
regulation be addressed through narrowly tailored fixes that preserve the integrity 
of the final Rule. 

The Chairman. I think if someone heard you and heard Mr. 
Allen both describing the same piece of legislation, they would won- 
der how they could. We are grateful for your testimony. 

Dr. Harding. 

STATEMENT OF RICHARD HARDING, M.D., PRESIDENT, 
AMERICAN PSYCHIATRIC ASSOCIATION 

Dr. Harding. Thank you, Mr. Chairman and Senator DeWine. I 
am Richard Harding, President of the APA, American Psychiatric 
Association, and Professor of Psychiatry and Pediatrics at the Uni- 
versity of South Carolina. I am also proud to be a member of the 
National Committee on Vital and Health Statistics, as you men- 
tioned, but I am here speaking for myself and for the American 
Psychiatric Association. 

I want to express my appreciation for being here and for your 
committee’s commitment to protecting medical records. I would also 
like to compliment you on your efficient and professional staff, who 
have been most helpful to all of us coming up to this hearing. 

Medical privacy and medical record confidentiality are issues 
about which all Americans are deeply concerned, at least 94 per- 
cent, as the Senator was saying. Recently the Department of 
Health and Human Services has proposed regulations which will 
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probably reduce administrative burdens on physicians and covered 
entities, probably. And, as such, this is appreciated as a physician 
speaking, but it is important to recognize that they are inadequate 
to protect patients. 

The APA objects to the elimination of consent by citizens because 
the citizens own the consent, and the substitution of a regulatory 
permission by Health and Human Services. We strongly believe pa- 
tients should be able to choose who will see their medical records 
and to be fair, in the proposed changes a privacy notice is sub- 
stituted for the written consent, but this is not privacy. Nor is pro- 
tection of the patient’s information. We found that out last week 
when a company was selling postal addresses and telephone num- 
bers because citizens did not notice in the long privacy notice that 
only email addresses would not be released. 

It concerns me that the patients, under the proposed rule, do not 
have authority over their medical record, even if the patient pays 
out of their pocket, which is a rapidly growing trend because of the 
issue of privacy. 

The APA understands that there are previously described cir- 
cumstances where a covered entity needs to use or disclose per- 
sonal health information prior to the initial face-to-face encounter 
with a patient and therefore to obtaining consent. It would seem 
to me that the remedy for this is to modify the consent requirement 
in the privacy rule. The Department of HHS has overcorrected a 
problem, by a proposed elimination of the traditional patient right 
of affirmative consent altogether. This is a truly sea change event 
in American medicine, to go to this way of handling consent. 

The APA recommends Health and Human Services retain the 
privacy rule’s prior consent requirement with targeted modifica- 
tions, as mentioned in previous testimony. 

Briefly on marketing, marketing is defined, and I think it is im- 
portant to define it, as “to make a communication about a product 
or service to encourage recipients of the communication to purchase 
or use the product or service.” The HSS proposed changes to the 
marketing provisions appear to require authorization before the pa- 
tient receives marketing materials. In so doing, that is well in- 
tended, but it is flawed. There is no real effective privacy safety net 
against commercial usage. The real problem is the exclusions to the 
term “marketing” swallow the rule. 

Under the proposed changes, a long list of programs is not con- 
sidered marketing. Marketers can use things such as disease man- 
agement, as mentioned before, wellness programs, case manage- 
ment, prescription refills and so forth to send marketing materials. 
The regulations do not clearly restrict these marketing loopholes 
from abuses, and I will not get into the examples of that, which 
have already been stated. 

It is my experience as a practicing physician that patients have 
never dreamed of their personal health information being used for 
marketing. That just does not enter their minds. This is especially 
critical for marketing to minors. 

I strongly urge the committee to join us in requesting HHS re- 
quire a patient’s consent and their authorization for marketing be- 
fore medical information is released under HIPAA. 
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We thank you for this opportunity to testify and respond to your 
questions and continuing to work with the committee on these im- 
portant issues. Thank you. 

[The prepared statement of Richard Harding, M.D. follows:] 

Prepared Statement of Richard Harding, M.D. 

Mr. Chairman, and members of the Committee, I am Richard Harding, M.D., tes- 
tifying on behalf of the American Psychiatric Association (APA), a medical specialty 
society, representing more than 40,000 psychiatric physicians nationwide. I serve 
the APA as its President and am currently Professor of Clinical Psychiatry and Pe- 
diatrics at the University of South Carolina School of Medicine. In addition, I serve 
as Vice-Chairman for Clinical Affairs of the Department of Psychiatry and maintain 
a busy outpatient practice. 

While I also serve on the Subcommittee on Privacy and Confidentiality of the Na- 
tional Committee on Vital and Health Statistics within the Department of Health 
and Human Services (HHS), the views I am presenting today are my views and the 
views of the American Psychiatric Association. 

First, I would like to thank Chairman Kennedy and the members of the Commit- 
tee for the opportunity to testify today. My oral comments will be limited to two 
major concerns: consent and marketing. My written testimony is significantly more 
expansive as it reflects APA’s comments on all of the NPRM privacy regulation 
changes, that we will formally submit to HHS, and I ask that it be made part of 
the hearing record. 

Mr. Chairman we greatly appreciate your commitment to protecting medical 
records privacy. Privacy and particularly medical records privacy is an issue that 
not only affects all Americans but also one that they are deeply concerned about. 
On behalf of our profession and our patients I thank you for holding this hearing 
on the recent changes HHS made to the Medical Privacy Regulation. 

While the Department of Health and Human Services (HHS) proposed HIPM pri- 
vacy regulation changes will reduce the burden on physicians and other healthcare 
providers, it is important to recognize they are inadequate to protect patients. The 
APA objects to the proposed elimination of the consent requirement that patients 
give written consent before their records are disclosed to physicians, hospitals or in- 
surance companies. Under the proposed changes, consent is optional for direct treat- 
ment providers. HHS now gives their “regulatory permission” to allow a patient’s 
information to be freely disclosed to health plans, providers, and clearing houses 
without the patient’s consent. The APA strongly believes patients should be able to 
choose who will see their medical records. The elimination of the consent require- 
ment is a significant change not only to the historic doctor-patient treatment rela- 
tionship but also an impediment to physicians’ efforts to provide the best possible 
medical care. The consent requirement gave the physician the opportunity to discuss 
where their medical information would be released. We need to take steps to ensure 
that doctor-patient confidentiality is preserved and strengthened. 

It is troubling to me as a practicing psychiatrist that a patient, under this rule, 
does not have consent authority over their medical records even if the patient pays 
out of pocket for their treatment. The proposed changes to the rule eliminate patient 
protection in a private payment situation with their provider by allowing informa- 
tion to be released without the patient’s consent. For example, celebrities who seek 
help from a substance abuse center and pay in cash to be anonymous should be al- 
lowed to do so without their health information being released. Similarly, Medicare 
patients who elect to personally pay for treatment should not be at risk from the 
prying eyes of government. 

Under the proposed changes, a privacy notice is substituted for consent. A privacy 
notice serves as a long and cumbersome notice that the records will be released. 
This is not privacy nor is a protection of the patient’s information. Furthermore, 
why must an ill patient have to look in the required privacy notice, which could be 
ten pages long as stated by the American Hospital Association. Buried within this 
lengthy notice is where a patient’s medical information will be sent. As we have 
found out last week internet companies are selling a person’s postal address and 
telephone number because the consumer did not notice in the long privacy notice 
that only e-mail addresses would not be released. 

The APA recommends HHS retain the privacy rule’s prior consent requirement, 
with targeted modifications to address the unintended implementation hurdles that 
result from the consent requirement in a couple of circumstances. 

While the HHS proposed changes to the marketing provision appear to require an 
authorization from a patient before the patient receives marketing materials is well 
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intentioned, the devil is truly in the details. The APA is concerned about the loop- 
holes in the definitions of marketing through the enumerated exclusions from the 
appearance of protection by the so called marketing definition. There is no real ef- 
fective privacy protection safety net against commercial usage of private patient in- 
formation. Under HHS’s changes, marketeers can use disease management, 
wellness programs, prescription refill reminders, case management and other relat- 
ed communications to send their marketing materials. These programs are not con- 
sidered marketing. The regulations do not clearly restrict these marketing loopholes 
from abuses. It clearly is not in the best interest of the patient for a drug store to 
send a prescription refill reminder without the patient’s authorization after the 
pharmacist was compensated by a pharmaceutical company. Recall not to long ago 
drug stores admitted to making patient prescription information available for use 
by a direct mail company and pharmaceutical companies. Now a pharmacy not only 
would be able to legally sell to a pharmaceutical company a list of patients that 
have been prescribed certain drugs in order to promote alternative drugs, but also 
the pharmacy could now in its own self financial interest in a medication’s more 
profitable cost to them be suggesting a change in medication refill. The marketing 
communication would no longer need to identify the covered entity as the one mak- 
ing the communication, or need to State compensation was received. 

Moreover, the fund raising provisions despite overwhelming testimony to the 
NCVHS urging that there be an “opt in” (prior consent) not “opt out” after the fact, 
using without permission an individual patient’s name for the fund raising purposes 
of the covered entity. Can you imagine sending out millions of letters telling you 
the names of persons served in your substance abuse treatment program — without 
their consent or authorization, and only thereafter, if the fund raiser wishes to do 
it again, then have to ask for the individual’s permission to use her or his name 
in the fundraising endeavor. Does this sound reasonable to anyone. 

I strongly urge the Committee to join us in requesting HHS require a patients 
consent and their authorization for marketing before their medical information is 
released under the Health Insurance Portability and Accountability Act (HIPAA). 
Also, in closing let me just briefly summarize our comments on parental rights to 
a minor’s medical records, to wit: there should be no changes to these provisions 
which have the effect of reducing access to health care by adolescent patients. 

We thank you for this opportunity to testify, respond to your questions and con- 
tinuing to work with the Committee on these important issues. 

The Chairman. Dr. Clough. 

STATEMENT OF JOHN C. CLOUGH, M.D., DIRECTOR, HEALTH 
AFFAIRS, CLEVELAND CLINIC FOUNDATION 

Dr. Clough. Good morning, Mr. Chairman, Senator DeWine. I 
am Dr. John Clough, Director of Health Affairs at the Cleveland 
Clinic Foundation and I have also been a practicing 
Rheumatologist there for over 30 years. 

The Cleveland Clinic Foundation supports Federal privacy pro- 
tections for identifiable patient information. The privacy rule would 
give patients their first-ever Federal protection of identifiable 
health information and proposed modifications would improve it 
significantly. For the first time, Federal standards prohibit the use 
and disclosure of patient information for purposes other than treat- 
ment, payment, and health care operations without patient author- 
ization. This morning I will focus on the proposed modification to 
the consent provision, as well as an important modification that 
the department is considering with respect to how patient informa- 
tion is deidentified. 

We support the proposed modification to the consent requirement 
for the following six reasons. First, this modification would remove 
barriers to patient access to care while strengthening patient pri- 
vacy protections. The Cleveland Clinic, with 1.6 million patient vis- 
its annually and over 50,000 admissions annually, routinely re- 
ceives information from patients, from referring physicians around 
the world, and uses this information to schedule and prepare for 
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examinations and procedures before the patients arrive. Prior con- 
sent, perhaps requiring an extra trip, would have to be obtained 
before any use of this patient information. 

Other inevitable problems include patients being unable to dis- 
cuss their care over the telephone with covering physicians because 
these providers may not have signed consent forms. The same 
problem would preclude nurses staffing telephone call centers, such 
as the Cleveland Clinic’s nurse-on-call service, from advising pa- 
tients in many cases. 

The proposed modification eliminates these barriers to care with- 
out weakening privacy protections. It would strengthen the notice 
requirement by requiring that providers give patients a notice of 
their rights and obtain acknowledgement that they signed it. 

Second, the suggestion that the department make exceptions for 
every problem that arises as a result of the consent requirement, 
as opposed to fixing the underlying problem, makes little sense and 
is unworkable. Furthermore, the fact that HIPAA allows modifica- 
tions to the privacy rule only once annually would produce long 
delays in getting problems fixed. 

Third, some have claimed that many States already have similar 
consent requirements. In fact, no State has a similarly broad prior 
consent requirement. Maine did attempt it in 1999, but had to sus- 
pend their law after only 12 days because of severe disruption of 
patient care. 

Fourth, the modification making consent optional is a workable 
compromise of two diametrically opposed approaches taken in the 
Clinton proposed regulation and the Clinton final regulation. In 
November 1999 the Clinton Administration’s proposed privacy reg- 
ulation prohibited providers from obtaining prior consent. They ar- 
gued that such authorizations could not provide meaningful privacy 
protections or individual control and, in fact, could culminate an in- 
dividual’s erroneous understandings of their rights and predi- 
cations and could impair care. 

In response to objections to this approach, the Clinton Adminis- 
tration reversed itself and mandated prior consent in the final rule. 
The proposed modifications strike the right balance between these 
two extremes. 

Fifth, even advocates for the most stringent privacy regulations 
testified last year that the prior consent requirement was meaning- 
ful and coerced because if the patients refused to sign the consent, 
the provider could deny treatment. 

Six, various press articles have suggested that physicians do not 
support the modification to the consent provision. It is important 
for Members of Congress to realize that many, if not most physi- 
cians organizations support the modification. In an April 10 letter 
to Congress, which is attached to my statement, organizations rep- 
resenting family physicians, surgeons, cardiologists, OB-GYNs and 
others, over 400,000 physicians in all, express support for making 
consent optional. I might add that many of those are members of 
the AMA. 

With respect to research and deidentification of patient informa- 
tion, the modifications proposed by the department make several 
key improvements that will eliminate unnecessary barriers to the 
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conduct of research while protecting patient confidentiality. The 
modifications simplify the procedures and paperwork involved. 

In addition, however, we believe that the regulations should per- 
mit a limited set of facially deidentified data to be disclosed for re- 
search purposes. The department has said it is considering such a 
change. Under the final rule some 18 characteristics would need to 
be removed to deidentify data. However, the 18 include such items 
as zip code, admission and discharge dates, dates of death and age 
that do not facially identify individuals and they are often impor- 
tant in epidemiological research, as well as in hospital disease sur- 
veillance activities, particularly important in detecting bioterror- 
ism. 

Mr. Chairman, that concludes my statement. Thank you again 
for giving me this opportunity to testify this morning and I would 
be happy to answer your questions. 

[The prepared statement of John Clough, M.D. follows:] 

Prepared Statement of John C. Clough, M.D. 

Good morning. I am Dr. John D. Clough, Director of Health Affairs for the Cleve- 
land Clinic Foundation. I am also a practicing rheumatologist. 

The Cleveland Clinic Foundation strongly supports meaningful Federal privacy 
protections for identifiable patient information. The privacy rule is intended to give 
patients the first-ever Federal protection of their identifiable health information. We 
believe the recently proposed modifications would make major and necessary im- 
provements to the final rule that will help achieve privacy goals without erecting 
barriers to high quality and timely health care for patients. 

What has been missed in much of the reporting and debate about the modifica- 
tions is that they retain, and actually strengthen, the most important new protec- 
tions for patients. For the first time, Federal standards prohibit the use and disclo- 
sure of patient information for purposes other than treatment, payment, and health 
care operations without patient authorization. Thus, disclosing a patient’s name and 
diagnosis to a newspaper, a bank, an employer, a marketer, without the prior, spe- 
cific, written authorization of the patient is prohibited. The rule also gives patients 
new rights under Federal law to receive notice of their rights, to be informed as to 
how their information can and cannot be used, and to access their own medical 
record. 

In spite of the fact that the proposed modifications keep intact these protections 
and actually strengthened many of them, virtually all of the attention of late has 
focused on the “prior consent” requirement. This morning I will focus on the modi- 
fication to the consent provision, as well as an important modification that the De- 
partment is considering with respect to how patient information is “de-identified.” 

Consent 

We strongly support the proposed modification which would make it optional, 
rather than required, for providers to obtained a signed, written consent form before 
using or disclosing identifiable information for treatment, payment, and health care 
operations. 

First: This modification would remove barriers to timely patient access to care cre- 
ated by the requirement in the final rule, while retaining and even strengthening 

strong patient privacy protections. 

The following are a few of the many examples from the Cleveland Clinic’s vantage 
point of how the requirement, without the proposed modifications, would create sig- 
nificant barriers to patient access to care. 

• The Cleveland Clinic and other hospitals routinely receive information about a 
patient from referring physicians and use this information to schedule and prepare 
for procedures prior to the patient presenting themselves at the hospital. Prior con- 
sent would have to be obtained before any use of the patient’s information for treat- 
ment. Thus, we could not use information to schedule procedures or begin intake 
procedures until we had such consents. 

• This would be problem enough for the Cleveland Clinic, where 1.6 million visits 
are on an outpatient basis each year. But, the disruption and delay for patients 
should be viewed in the totality of their care from beginning to end. 
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• For the patient, the consent requirement would mean multiple trips to sign a 
new consent form before receiving care at every point. It would mean signing one 
consent form before visiting their physician, another before referral to a specialist, 
another before getting an MRI, one more before scheduling surgery at the hospital, 
another for the ambulance ride to the nursing home, another before sending some- 
one to pick up a prescription, and on and on. 

• Other inevitable problems included patients being unable to discuss their care 
over the telephone with physicians, nurses and others covering for their colleagues 
during non-business hours because these providers may not have a signed consent 
form. Also, nurses staffing telephone call centers would be prohibited from advising 
patients in many cases because there is not opportunity to obtain prior written con- 
sent from the patient. 

The proposed modification eliminates these barriers to care without eliminating 
privacy protections. It is the written notice, not the consent form, that is the means 
by which patients are informed of their rights and how and with whom their infor- 
mation may and may not be used. The modification retains and strengthens the no- 
tice requirement in the final rule by requiring that providers give patients the no- 
tice and obtain an acknowledgment that the patient has received it. 

Second: The suggestion by some that the Department make exceptions for every prob- 
lem that arises as a result of the consent requirement, as opposed to fixing the un- 
derlying problem, is unworkable. 

The Department cannot possibly anticipate every problem that could arise, as doz- 
ens have become apparent since issuance of the final rule a year and a half ago. 
More will arise after the rule takes effect. Because the Health Insurance Portability 
and Accountability Act (HIPAA) allows modifications to the privacy rule only once 
each year to address such problems, patients would have to suffer through disrup- 
tions and delays in care for over a year before such problems could be fixed. 

Third: Some have claimed that many States already have similar consent require- 
ments. In fact, today NO State has a similarly broad prohibition on use and dis- 
closure of information for treatment, payment and health care operations without 
prior consent. 

One State — Maine — did attempt such a broad prior consent requirement in 1999. 
The Maine law was suspended in an emergency session of the legislature after only 
12 days because of severe disruptions in patient care. 

Fourth: The modification making consent optional is a workable compromise of two 
diametrically opposed approaches taken in the Clinton proposed regulation and the 
Clinton final regulation. 

In November 1999, the Clinton administration’s proposed privacy regulation not 
only rejected the idea of mandating that providers obtain consent, it went so far as 
to prohibit them from obtaining it. In doing so, the Clinton administration argued 
that “(s)uch authorizations could not provide meaningful privacy protections or indi- 
vidual control and could in fact cultivate in individuals erroneous understandings 
of their rights and protections.” In addition, they maintained that separate author- 
ization for routine referrals “could impair care.” 

Many physician and other groups objected to the prohibition on obtaining consent. 
In response, the administration went to the other extreme and mandated prior con- 
sent in the final rule. The recently announced modifications strike the right balance 
between these two extremes. Providers may obtain consent if they wish to do so. 
However, a provider will not have to delay treatment. 

Fifth: Even advocates for the most stringent privacy regulations testified last year 
that the prior consent requirement was “meaningless” and “coerced” because if the 
patient refused to sign the consent, the provider could deny treatment. 

If the patient refuses to sign, there are many situations in which laws, regula- 
tions, practice guidelines, and our code of ethics requires physicians to treat the pa- 
tient. The physician following the code of ethics would then be in violation of the 
privacy regulation and subject to civil and even criminal penalties. 

Sixth: Various press articles have suggested that physicians do not support the modi- 
fication to the consent provision. It is important for Members of Congress to know 
that many, if not most, physician organizations support the modification. 

In an April 10 letter to Congress which is attached to my statement, organizations 
representing family physicians, surgeons, cardiologists, OB/GYNs, and others — over 
400,000 physicians in all — expressed support for making consent optional. 

Research and “De-identification” of Patient Information 

The modifications proposed by the Department with respect to research make sev- 
eral key improvements that will eliminate unnecessary barriers to the conduct of 
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life-saving research, while maintaining important protections for patient confiden- 
tiality. In particular, the modifications simplify, for patients and researchers, the 
procedures and paperwork involved. 

However, one additional revision to the privacy regulation is needed. We believe 
the regulations should permit a limited set of data which has been “facially de-iden- 
tified” to 4 be disclosed for research purposes. The Department is considering such 
a revision, but has invited further comment before making a final decision to make 
the change. 

The stringency of the final rule’s requirements for de-identifying information 
prompts concerns that the standard would render data useless for much research. 
Under the final rule, some 18 characteristics would need to be removed from data 
to render it “de-identified.” Most of the characteristics make sense, such as names 
and addresses, which could directly identify an individual. However, some do not. 
For example, zip codes, admission and discharge dates, date of death, and age do 
not directly identify an individual. However, such information is often critical to 
conducting research. Epidemiological studies routinely use hospital admission and 
discharge dates, date of death to track and understand diseases. Such studies have 
taken on new importance with the threat of bioterrorism. Hospitals need to be able 
to share de-identified information for such purposes, as well as for improving the 
quality of care for patients, and improving community health services. Under the 
final rule, sharing this information is not permitted. 

There may be no other issue that has so united those in health care; the change 
is supported by virtually every corner of the health care community. This includes 
groups ranging from the Association of American Medical Colleges, the American 
Medical Association, State hospital associations, patient and consumer groups. At- 
tached to my statement are two letters from these groups. 

Mr. Chairman, that concludes my statement. Thank you, again, for giving me this 
opportunity to testify this morning. I will be happy to answer your questions. 

The Chairman. Thank you very much for your very interesting 
statement, which I think with the other statements puts this in 
some perspective. 

I would like to ask Ms. Goldman, the difference between notifica- 
tion and consent and how you respond to points which were raised 
recently by Dr. Clough and others about these areas of treatment 
which are necessary and really in the interest of the patient, and 
by failing to do sort of a more comprehensive, like the administra- 
tion is doing, that we really can be perceived as putting the patient 
at risk. These are some of the balances. Your response? 

Ms. Goldman. I think it is important to keep in mind that we 
put the patient at risk today by not protecting privacy and we have 
data that shows that, that people are putting their own care at 
risk. They are withholding information and they are afraid to seek 
care. So people are at risk. 

Protecting privacy does not put them at risk, particularly if there 
are doctors who want to get the consent to their patients before 
using their information to treat them or to pay for their care. 
Someone may decide to pay out-of-pocket and the consent form 
gives them the opportunity to say to their doctor, “I am going to 
pay out-of-pocket, so I do not want to consent to have the informa- 
tion shared for payment purposes.” Many doctors, I think, includ- 
ing Dr. Harding and others, would say that they would want to use 
the consent. It is optional certainly for them to decide they want 
to mandate it, but they do not have to do that. 

And asking someone to consent to having their information used 
is certainly different than asking them to sign a notice just telling 
them how their information is going to be used. It is a dramatically 
different kind of piece of paper and not one I think which is just 
about paperwork burden, but which is involving the patient in deci- 
sions about his or her care. 
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The Chairman. Well, how do you respond to these points that 
have been raised that by not taking — we have had the example of 
the pharmacist and we have had doctors mention these others 
kinds of areas. Are you suggesting that we have the right to pri- 
vacy or the consent form and then have exceptions for these par- 
ticulars? And can you ever get enough on the list? Your answer? 

Ms. Goldman. Well, the Health Privacy Project has been saying 
for a year that certain glitches and certain unintended con- 
sequences in the privacy regulation should be fixed. We think they 
should have been fixed a year ago. So we think that what the sec- 
retary of HHS should have done was to make targeted modifica- 
tions to the privacy regulation to address the consent problems. 

Pharmacies should have — this problem should be fixed. Making 
referrals, exactly the same problem, that information occasionally 
needs to be received before a prescription is filled or a referral is 
made. Those are glitches that should have been fixed and we say 
in our testimony very specifically, we make recommendations that 
those problems should be fixed. But there is no need, and I think 
it is unjustified to use those examples to eliminate the consent re- 
quirement completely. 

The Chairman. Dr. Clough. 

Dr. Clough. The problem, I think, is that glitches as they occur 
under the current rule would interfere with treatment and would 
interfere with it until they get corrected. Glitches under the other 
approach would not interfere with treatment and could be corrected 
later with less disruption of care. 

And with respect to prior consent, I would say that if you think 
about what happens in a physician-patient encounter, when I first 
see a patient, I have never seen them before, they have never seen 
me before and I am asking them to sign a blanket agreement that 
what I do is okay, I think that is less meaningful than getting 
some information on the table, deciding what it is that needs to be 
consented to, and then get the consent for treatment because I 
think that is where the important consent really is. 

Patients can tell me that they do not want their information re- 
leased and I respect that and I do not release it if they do not want 
it released, and I think every physician does that. 

So I would say that these modifications improve the functionality 
of the rule without diluting it and give a chance to change the rule 
in the direction of greater privacy if that is necessary, but without 
interfering with patient care in the process. 

Ms. Goldman. Mr. Chairman, can I respond to what Dr. Cough 
has said? 

The Chairman. Go ahead. 

Ms. Goldman. It is an interesting point that when a patient asks 
him to maintain confidentiality and not to share information, that 
he respects that and the consent form that is in the final regulation 
gives his patients the opportunity to have that conversation with 
him. It is exactly that initial moment that triggers that kind of a 
conversation. 

A notice is much less likely to ever trigger that conversation and 
ever allow for that to happen between Dr. Clough and his patients. 

The Chairman. I am going to have to submit the other questions, 
but I thank you. This is an enormously important area. As I said, 
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there are few values that we have that are really more important 
than privacy as a country and a society and I think in the medical 
area it is right at the top. 

We have heard a lot of good testimony today, conflicting testi- 
mony, but it does not lessen the importance that I think we have 
as a committee and as a Senate to do what is necessary in terms 
of both giving the assurance of good treatment, but also in terms 
of protecting the privacy, and we are committed to trying to do 
that. 

I thank our panel very much. We will submit some questions for 
you. 

The hearing stands in recess. 
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ADDITIONAL MATERIAL 

Prepared Statement of the American Hospital Association 

The American Hospital Association (AHA) and its nearly 5,000-member hospitals, 
health systems, networks, and other providers are committed to safeguarding pa- 
tients’ medical information and ensuring that patients understand and have appro- 
priate access to their medical information. We believe Congress shared these goals 
when it enacted the Health Insurance Portability and Accountability Act (HIPAA) 
in 1996. Unfortunately, the final regulations implementing that vision elevated bu- 
reaucracy above common sense in a number of crucial respects. 

Before the Administration proposed changes last month, the rule’s most alarming 
provision for hospitals and our patients was the requirement that patients read, re- 
view and return a 10-page privacy notice and a separate consent form before they 
could be cared for. Hospitals were deeply distressed by visions of parents with sick 
or injured children being met at the hospital door not with care and compassion, 
but with a lengthy privacy notice that had to be read, and a consent form that had 
to be signed, before care could be provided for the child. Yet, that is precisely what 
the medical privacy regulations required hospitals to do. 

Make no mistake — hospitals are genuinely committed to ensuring that patients 
know how their medical information is being used, what their rights are and how 
they can exercise them. That is not up for debate. What is up for debate is whether 
the current medical privacy regulations enhance medical privacy or frustrate it by 
delaying care for patients. The current privacy rule prohibits patients and their phy- 
sicians from scheduling any testing procedures, outpatient surgery or other care the 
government determines isn’t an emergency until the patient (1) receives and reads 
their privacy notice, and (2) signs and returns the consent form to the hospital. For 
hospitals, the answer is clear: the written consent requirement will frustrate pa- 
tients and providers to no necessary end. 

To test consumer reaction to these written consent requirements, the AHA com- 
missioned an independent research firm, Market Strategies, to poll more than 900 
consumers this month about their reaction to the way hospitals were required to 
implement the consent requirement under the medical privacy regulation. Here’s 
what consumers told them: 

• 86 percent think asking a sick person to sign a legal document that could be 
10 pages when they see a doctor, nurse or pick up a prescription at the pharmacy 
is an unnecessary burden. 

• 85 percent agree that elderly Americans will be hurt the most because they see 
many different physicians and often have someone else pick up prescriptions for 
them. 

• 84 percent believe that time spent in a doctor’s office should be spent on patient 
care, not filling out more paperwork. 

• 77 percent agree that the government should not make hospitals wait to sched- 
ule tests until the patient reads the privacy notice and signs and returns a consent 
form to the hospital. 

The April poll confirms what the AHA had learned earlier this year from a series 
of four focus groups that Market Strategies conducted in Tampa and St. Lois. When 
apprised on the written consent requirements, consumers said: 

“This will be a paperwork nightmare.” 

“They should simply require that hospitals and pharmacies post this [privacy notice], but signing a form is 

ridiculous. ” 

“I’ve waited 2 hours to see the doctor and he’s got to do all this?” 

The recent announcement by the Department of Health and Human Services 
(HHS) that it was proposing to replace redundant written consent requirements 
with a written acknowledgment came as welcome news. That proposal does not 
weaken, much less eliminate, any of a patient’s privacy rights. It does not change 
the fact that hospitals are not permitted to use patients’ information for marketing 
or research, without their express written permission. Instead, it allows hospitals 
to immediately work with patients and their doctors to provide or schedule medical 
treatment or tests. Hospitals are still required to try and obtain written acknowl- 
edgment from a patient that he or she has received the privacy notice, but they can 
do so when it’s convenient for the patient — not the government. Moreover, asking 
patients to acknowledge in writing that they have received the hospital’s privacy no- 
tice signals to patients that the notice contains important information that they 
should read and understand. 
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Hospitals welcome the proposed change because we care for and about patients — 
we want all of our patients to be met at the hospital door with care and compassion, 
not paperwork and delay. Written acknowledgement will let us keep that promise. 

Many lawmakers agree. On July 3, 2001, 165 members of the House of Represent- 
atives sent a bi-partisan letter to HHS Secretary Tommy Thompson telling him that 
“scheduling patients for surgery, x-rays or other vital services should not depend on 
patients having to complete an exhaustive privacy and consent form that could be 
10-or-more pages long.” HHS responded by replacing redundant written consent 
with written acknowledgement, which eliminates a barrier to patient care. 

Conclusion 

A top priority for America’s hospitals is safeguarding patient privacy while ensur- 
ing that nothing gets in the way of patient care. HHS’ proposal to replace the redun- 
dant written consent requirement with patient acknowledgement removes one of the 
privacy rule’s key roadblocks to the delivery of good patient care. It is good for pa- 
tients and hospitals and does not sacrifice patients’ privacy rights. 

WHY WRITTEN ACKNOWLEDGEMENT IS BETTER FOR PATIENTS AND PROVIDERS 

As a result of HHS’s proposed changes to the HIPAA privacy rules, the AHA has 
prepared a series of Qs & As to help hospitals respond to inquiries from patients 
and the public. 

Question 1. Will I know what my rights are if I don’t have to sign a written con- 
sent form for hospitals to use my health information? 

Yes. Hospitals are still required to provide you with a written notice of their pri- 
vacy practices (called a “privacy notice”) that explains how hospitals are permitted 
to use your medical information. Hospitals are permitted to use your medical infor- 
mation for only three purposes: (1) treating you; (2) obtaining payment for your 
care; and (3) for their own operations, including improving their ability to provide 
quality care to you and other patients. Hospitals are not permitted to use your med- 
ical information for any other purpose, such as for marketing or research, without 
your written permission, except in a medical emergency or other very limited cir- 
cumstances, such as those permitted or required by Federal and State law. 

The privacy notice explains your medical privacy rights, such as your right to see 
and copy your information or request to change that information. It also tells you, 
for example, where you need to go to see and copy your information or to request 
to change it. 

Question 2. Doesn’t signing a written consent form make it more likely that I will 
learn about or understand my privacy rights? 

No. The privacy notice you will receive from the hospital — not the written consent 
form — explains your privacy rights. The written consent form didn’t provide any ad- 
ditional information that isn’t already in the privacy notice. Under the changes pro- 
posed, hospitals will be required to have you acknowledge in writing that they have 
given you their privacy notice. Hospitals want patients to know and understand 
their medical privacy rights. And by having you acknowledge that you were given 
a copy of their privacy notice, hospitals are letting you know that the privacy notice 
has important information that you need to read and understand. 

Question 3. Will I be losing any of my privacy rights if I’m not required to sign 
a written consent form? 

No. None of your privacy rights will be lost. Your rights are guaranteed by the 
rule and by the notice, whether or not you sign a consent form. For example, you 
will still have the right to request that the hospital not contact you at the office 
with any test or medical results, but only call you at your home. 

Question 4. Was there something wrong with having patients sign a written con- 
sent form? 

Yes. Hospitals could not work with you or your doctor to schedule any testing pro- 
cedures, outpatient surgery or other care the government determined wasn’t an 
emergency until you (1) received and read their privacy notice, and (2) signed and 
returned the consent form to the hospital. Hospitals were not allowed to make any 
exceptions to this rule, even for disabled or elderly Americans or those who lived 
in remote rural areas. Hospitals were very concerned that their ability to respond 
quickly to the needs of their patients would be hampered by this unnecessary re- 
quirement and that patients would be frustrated with them because they were not 
allowed to make exceptions to this Federal law. 

Question 5. Will the hospital be able to use my health information in ways that 
are not approved by the Federal privacy rule if I don’t sign a written consent form 
for the use of my information? 

No. The rules continue to obligate hospitals to use your health information only 
for (1) treating you; (2) obtaining payment for your care, and (3) for their own oper- 
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ations, including improving the quality of care they provide to you and other pa- 
tients. Hospitals must explain the ways they will use your health information in the 
privacy notice they have to give to you. A hospital cannot use or disclose your health 
information in other ways, such as for marketing or research, unless the hospital 
gets your written permission before doing so. 

Question 6. Is a hospital prevented from getting my written consent to use my 
health information? 

No. Hospitals and doctors are still permitted to ask for your written consent be- 
fore they use information about you to provide health care services; however, if they 
use a written acknowledgement, they won’t have to delay providing care for you 
until you (1) received and read their privacy notice, and (2) signed and returned the 
consent form to the hospital or doctor. 

Question 7. Will hospitals know that I received their privacy notice if I don’t have 
to sign a written consent? 

Yes. The proposed changes to the privacy rules require hospitals to have you ac- 
knowledge, in writing, that you received their privacy notice. At the time you re- 
ceive the notice, the hospital will ask you to acknowledge in writing that you re- 
ceived the notice. 

Question 8. Will this new proposal requiring me to acknowledge that I have re- 
ceived the privacy notice mean that I’m spending more time filling out forms in the 
hospital admission office or emergency room? 

No. Signing an acknowledgement should not increase the time you have to spend 
in the admission process. In an emergency situation, this acknowledgement can 
even be delayed to allow you to give it at a less stressful and more convenient time. 

Question 9. Why is a written acknowledgement that I received the hospital’s pri- 
vacy notice better than the requirement that I sign a written consent? 

The written acknowledgement allows hospitals to immediately work with you or 
your doctor to treat you or to schedule any testing procedures, outpatient surgery 
or other care. In an emergency situation, hospitals can even delay getting your writ- 
ten acknowledgement until a less stressful and more convenient time for you. The 
acknowledgement does not take away any of your privacy rights. And it is still an 
effective way for hospitals to let you know that the privacy notice they give to you 
has important information about your privacy rights that they want you to read and 
understand. 

The written consent requirement, on the other hand, forced hospitals to delay 
scheduling any testing procedures, outpatient surgery or other care or giving you 
any treatment the government determined wasn’t an emergency until you (1) re- 
ceived and read their privacy notice (which could be as long as 10 pages in order 
to meet Federal requirements), and (2) signed and returned the consent form to the 
hospital or doctor. Hospitals were not allowed to make any exceptions, even for dis- 
abled or elderly Americans or those who lived in remote rural areas. The written 
consent requirement increased the paperwork burden for patients and hospitals 
without giving you any new privacy rights that the rule and the privacy notice 
doesn’t already guarantee or any additional information about your rights that isn’t 
already in the privacy notice. 

Question 10. Do the proposed changes to the privacy rules affect any of my pri- 
vacy rights? 

No. The proposed changes to the privacy rules do not do away with or weaken 
any of your privacy rights. Your rights continued to be guaranteed. The proposed 
changes only get rid of a significant roadblock that would have forced hospitals to 
delay your treatment until you (1) received and read their privacy notice, and (2) 
signed and returned the consent form to the hospital or doctor, and cut the unneces- 
sary paperwork burden for patients and hospitals. 

Prepared Statement of Members of the Alliance of Medical Societies 

As you are aware, on March 27, 2002, the Department of Health and Human 
Services (HHS) issued a proposed rule to modify the “Standards for Privacy of Indi- 
vidually Identifiable Health Information.” We, the undersigned members of the Alli- 
ance of Medical Societies, strongly support the proposed modifications that HHS is 
considering with respect to prior consent and research and would also like to com- 
ment on the business associates provision. 

The Alliance of Medical Societies comprises 12 national medical societies rep- 
resenting more than 150,000 specialty-care physicians. Its mission is to promote 
sound Federal health care policies that will enhance the ability of specialty-care 
physicians to provide the best possible health care to their patients. 
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Prior Consent 

The proposed modifications to the prior consent portion of the rule represents a 
workable compromise between the original proposed regulation issued in 1999 that 
would have prohibited providers from obtaining consent and the final privacy regu- 
lation issued in 2000 that mandated prior consent requirements. These modifica- 
tions maintain the patient privacy protections required by Congress without dis- 
rupting patient access to quality health care. 

The Alliance supports meaningful privacy protections for patients’ medical records 
and believes that it is important for patients to be notified of their rights. The pro- 
posal for regulatory permission as opposed to mandatory written consent would not 
change the ethical and professional practice of physicians and most health care pro- 
viders to obtain patient consent. Not only would the prior consent requirement add 
yet another mandatory form to the already unmanageable paperwork burden that 
physicians and practitioners face on a daily basis, it could pose serious problems for 
patient care. HHS outlined many of the potential problems in the proposed rule. We 
strongly believe that HHS chose wisely in proposing to make prior consent discre- 
tionary, and we oppose any efforts to change it. 

Medical Research 

We also thank the Administration for improving the provisions governing medical 
research. The proposed modifications alleviate the burdens placed on medical re- 
searchers and removes obstacles that would impede important public health re- 
search. In particular, the Alliance supports the Administration’s proposal to simplify 
the authorization process and to eliminate the inconsistent privacy review criteria 
for Institutional Review Boards. Without these critical changes, health care studies 
may be abandoned or avoided altogether as the burdens and liability associated with 
compliance would deter many medical researchers. 

In addition, although HHS did not propose to modify the de-identification stand- 
ard, we appreciate their call for additional comments on this provision. We urge the 
Department to reconsider the Final Rule’s current standard, which requires the re- 
moval of 18 characteristics from data in order to render it “de-identified.” Some of 
the data that must be removed — specifically, dates of admission or service and de- 
vice serial numbers — are often needed when evaluating medical records for epide- 
miological and other health related research. 

We believe the regulation could be improved significantly by modifying the de- 
identification standard to require that information instead be stripped of direct iden- 
tifiers that would facially identify an individual. Direct identifiers would be defined 
as name, address, electronic mail address, telephone number, fax number, social se- 
curity number, health benefits number, financial account numbers, drivers license 
number or other vehicle numbers that are in the public records system. 

Business Associates 

While the Administration proposes to provide a 1-year window for covered entities 
to revise their contracts with business associates, these same covered entities will 
be required to comply with the new rule regardless of whether or not a new contract 
has been secured. Hence, the 1-year window provides a false sense of flexibility. We 
are further concerned that HHS will require business associate contracts between 
two covered entities. This seems to defy reason since each covered entity will be re- 
quired to comply with the regulation independently. 

To conclude, we strongly support meaningful and workable privacy protections for 
patients’ medical records and appreciate this opportunity to express our views on 
the modifications to the privacy regulations proposed by HHS. 

Sincerely, American Academy of Dermatology Association; American Assoc, of 
Neurological Surgeons/Congress of Neurological Surgeons; American Association of 
Orthopaedic Surgeons; American College of Cardiology; American College of Radiol- 
ogy; American Society of Cataract & Refractive Surgery; 

Prepared Statement of Sue A. Blevins 

Thank you, Mr. Chairman and Committee members, for holding this timely public 
hearing to examine how the proposed revisions to the Federal medical privacy rule 
will affect patients’ control over their personal health information. I appreciate the 
opportunity to submit written testimony and focus on the concerns raised by thou- 
sands of citizens who submitted comments to the U.S. Department of Health and 
Human Services (HHS) opposing access to their personal health information without 
their consent. 

In particular, sections 164.502 and 164.506 of the revised rule give the Federal 
Government the regulatory authority to decide for each and every citizen who can 
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access individuals’ medical information-including genetic information-for most pur- 
poses, including medical treatment, payment and health-care operations. The U.S. 
Department of Health and Human Services and the medical industry should not be 
making these decisions for individuals. In fact, a national Gallup survey shows that 
Americans want to be the ones to decide who can see their personal health informa- 
tion with — or without — their consent. 

Majority of Americans are Concerned About Medical Privacy According to a National 
Gallup Survey 

The Institute for Health Freedom commissioned a national Gallup survey to find 
out how Americans feel about medical and genetic privacy. We had heard from pri- 
vacy advocates across the country about their concerns. But we wanted to find out 
how ordinary citizens across the Nation — not just privacy advocates — feel about the 
issue. 

The national Gallup survey was conducted between August 11 and August 26, 
2000 and the results are posted at the Institute for Health Freedom’s Web site: 
www.ForHealthFreedom.org. (As of April 2, 2002, the survey had not been updated 
by the Gallup Organization.) The survey of 1,000 adults nationwide found an over- 
whelming majority of Americans do not want third parties to have access to their 
medical records — including genetic information — without their consent. 

• 95 percent say banks should not be allowed to see patients’ medical records 
without individuals’ consent; 

• 92 percent oppose allowing governmental agencies access to patients’ medical 
records without permission; 

• 88 percent oppose letting police or lawyers review medical records without ex- 
plicit consent; 

• 84 percent say employers should not be allowed access to patients’ medical 
records without permission; and 

• 67 percent oppose researchers accessing patients’ medical records without con- 
sent. 

The national Gallup survey also included two important questions about genetic 
privacy. One asked whether doctors should be allowed to test patients for genetic 
factors without their consent. Only 14 percent of respondents would permit such 
testing; 86 percent oppose it. 

The other question asked whether medical and governmental researchers should 
be allowed to study individuals’ genetic information without first obtaining their 
permission. More than nine in ten adults (93 percent) feel medical and govern- 
mental researchers should first obtain permission before studying their genetic in- 
formation. 

What’s more, when asked whether they are aware of a Federal proposal to assign 
a medical identification number — similar to a Social Security number — to each 
American, only 12 percent said they had heard anything about it. College-educated 
adults (16 percent) are more likely than those with less than a college education 
(8 percent) to be aware of the proposal. Regardless of their knowledge about it, how- 
ever, an overwhelming majority (91 percent) oppose the plan. 

I strongly encourage this committee to consider how the final and revised Federal 
medical privacy rule is going to strip patients of the ability to decide who can access 
their personal health information (including genetic information) with — or without — 
patients’ consent. 

Finally, following is a “questions and answers” summary about the proposed re- 
vised Federal medical privacy rule: 

Update on the Federal Medical Privacy Rule: Questions and Answers* 

Americans are being told they will have stronger medical privacy protections 
under the revised Federal medical privacy rule published in the Federal Register 
on March 27, 2002. 1 However, the following “questions and answers” summary 
shows that the revised rule does not provide patients stronger medical privacy. 
Rather, it actually weakens individuals’ ability to restrict access to their medical 
records. 

The following summary is based on a review of the revised Federal medical pri- 
vacy rule (published March 27, 2002) 2 compared to the final Federal medical pri- 


1 “Standards for Privacy of Individually Identifiable Health Information,” Federal Register, 
Vol. 67, No. 59, March 27, 2002, pp. 14776-14815, [http://www.access.gpo.gov/su — docs/fedreg/ 
aO20327c.html]. 

2 “ Ibid. 
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vacy rule (published December 28, 2000). 3 Citations to specific key pages are pro- 
vided to help the public, media, and policymakers understand the serious implica- 
tions of the rule. 

Does the revised Federal medical privacy rule provide consumers greater control over 
the flow of their personal health information ? 

No, under the revised Federal medical privacy rule, patients will not be in control 
of deciding whether they want health insurers, doctors, and medical data-processing 
companies to share their personal health information — including genetic informa- 
tion — with others. Rather, health insurers, doctors and medical data-processing com- 
panies are actually granted “regulatory permission” to share patients’ health infor- 
mation for any activities related to patients’ health care treatment, processing of 
their health care claims, or “health care operations” — a term which encompasses 
many activities unrelated to patients’ direct care (such as permitting FBI officials 
to search medical records looking for fraud and abuse activities). 4 

Also, under the revised Federal medical privacy rule health insurers, doctors, and 
medical data-processing companies will not need to get patients’ written, informed 
consent before sharing patients’ personal health information — including past medi- 
cal records and genetic information — with many third parties. 

How Does Congress or HHS Define “Medical Privacy” or “Privacy”? 

They don’t. Ironically, while the Federal medical privacy rule includes many defi- 
nitions, the terms “medical privacy” or “privacy” are not clearly defined in the rule. 5 
Instead, a Federal committee composed primarily of fact-gathering experts was 
given the legal authority to advise HHS in establishing standards for Americans’ 
medical privacy. 6 

Are patients guaranteed the right to sign private contracts with their doctors to with- 
hold personal health information from third parties ? 

No, patients cannot withhold their personally identifiable health information from 
the U.S. Department of Health and Human Services. In fact, the rule creates a mas- 
sive Federal mandate that requires every doctor and other health care practitioner 
to share patients’ records with the Federal Government — specifically the U.S. De- 
partment of Health and Human Services (HHS) — without patient consent. 7 The Fed- 
eral Government even has the right to access an individual’s psychotherapy notes 
in order to monitor compliance with the rule. 8 

Will patients be guaranteed the right to an accounting of to whom and when their 
personal health information was disclosed for health care services related to 
their treatment and processing of health claims ? 

No, patients will not receive an accounting of to whom and when their records 
were disclosed for most health care services, including activities related to treat- 
ment, payment, or health care operations (a broad definition encompassing many 
uses). 9 

In just a few years, patients’ personally identifiable health information is going 
to be flowing over the Internet — without patients’ permission — for purposes related 
to treatment, payment, and health care operations. But patients won’t even know 
this is happening because they won’t be able to obtain an accounting of disclosures 
for treatment, payment, and health care operations. 

Will President Bush’s proposed changes to the Federal medical privacy rule (pub- 
lished March 27, 2002) strengthen or weaken Americans’ medical privacy ? 

It is important to note that the Clinton Administration initially proposed prohibit- 
ing doctors and hospitals from getting patients’ consent before releasing their medi- 
cal information. 10 But after receiving more than 52,000 public comments, the Clin- 
ton Administration revised the rule and added a very weak, coercive consent provi- 
sion. 


3 “Standards for Privacy of Individually Identifiable Health Information,” Federal Register, 
Vol. 65, No. 250, December 28, 2000, pp. 82462-82829, [http://www.access.gpo.gov/su — docs/ 
fedreg/aO01228c.html], 

4 Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14780, 14812. 

5 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82798, 82803-82805; Federal Reg- 
ister, Vol. 67, No. 59, March 27, 2002, pp. 14810-14812. 

6 Federal Register, Vol. 67, No. 59, March 27, 2002, p. 14777. 

7 Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802. 

8 Ibid., pp. 82811, 82805. 

8 Ibid., p. 82826. 

10 Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59941. 
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However, the Bush Administration is legally permitting health insurers, doctors 
and medical data-processing companies to release patients’ personal health informa- 
tion without asking patients for their permission. Instead, these entities can simply 
provide notices of how the information will be shared. This policy takes the active 
decisionmaking authority away from patients and shifts it to doctors and hospitals. 
This is a major shift away from the precious health care ethics that we have hon- 
ored for many years in this country: the ethics of consent and confidentiality. 

In addition to allowing patients’ medical records to be disclosed for treatment, pay- 
ment and health care operations, who else can see patients’ records without pa- 
tients’ consent ? 

Under the Bush Administration’s revised rule (as under Clinton Administration’s 
final rule), Americans’ medical records can be disclosed for many broadly defined 
purposes without patient consent, including, but not limited to, the following: 

• Oversight of the health care system 

• FDA monitoring (including dietary supplements) 

• Public health surveillance and activities 

• Foreign governments collaborating with U.S. public health officials 

• Research (if an IRB or privacy board waives consent) 

• Law enforcement activities 

• Judicial and administrative proceedings 

• Licensure and disciplinary actions. 11 

Does the Federal medical privacy rule provide patients recourse if their privacy is 
breached? 

No, patients are not guaranteed any recourse other than the right to complain. 12 
They can complain to their health care providers or institutions about privacy 
breaches. They also can complain to the Secretary of the U.S. Department of Health 
and Human Services. However, the HHS Secretary does not have to investigate the 
complaint. The final rule reads that the Secretary “may,” not “shall,” investigate 
complaints. 13 

Additionally, individuals do not have a private right of action (they can’t sue) if 
their privacy is breached under the final medical privacy rule. 

Why was the Federal medical privacy rule created in the first place? 

The Federal medical privacy rule was established as dictated by the Health Insur- 
ance Portability and Accountability Act of 1996 (HIPAA) that fosters the develop- 
ment of a national health information network through standardized codes for all 
health care services nationwide. 14 The HIPAA law requires health plans to use na- 
tional standardized codes for electronic transactions for payment of medical care. 
The HIPAA law additionally requires that unique health identifiers be assigned to 
four groups, including every: (1) individual, (2) health care provider, (3) employer, 
and (4) health plan. 15 Those identifiers will facilitate electronic transactions for all 
types of health care, whether services are paid by government or privately. (Note: 
the individual identifier has been put on hold temporarily for 1 year.) 

The result will be that each patient’s visit to a doctor or hospital will be easily 
tracked. 

In the next few years, it is going to become increasingly simple to transfer elec- 
tronic medical records over the Internet. With just a click of a mouse, it will be 
much easier to access and share individuals’ records with many third parties. That 
is why all Americans should become informed about the Federal medical privacy 
rule and demand the right to control their most personal information — their health 
information, including genetic information. 

*This update analysis on the Federal medical privacy rule was prepared by Sue 
Blevins, President, Institute for Health Freedom and Deborah Grady, Research As- 
sociate, Institute for Health Freedom. Many of the Federal medical privacy rule pro- 
visions remain the same as those analyzed in a previous paper titled “The Final 
Federal Medical Privacy Rule: Myths and Facts” by Sue Blevins and Robin Kaigh, 
Esq. (February 8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/ 
MedPrivFacts.html], 


11 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82525, 82528, 82813-82817. 

12 Ibid., pp. 82801 - 82802 . 

13 Ibid., p. 82802. 

14 “Health Insurance Reform: Standards for Electronic Transactions; Announcement of Des- 
ignated Standard Maintenance Organizations; Final Rule and Notice,” Federal Register, Volume 
65, No. 160, August 17, 2000, pp. 50312-50313. 

15 Ibid., p. 50313. 
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[Whereupon, at 12:10 p.m., the hearing was adjourned.] 

O 



